This Week Health

Don't forget to subscribe!

In this episode of the Two Minute Drill, Drex discusses the latest in cybersecurity regulations affecting the healthcare sector. Key points include the Cyber Incident Reporting for Critical Infrastructure Act (CIRSIA), new proposed reporting rules by CISA, and the Healthcare Cybersecurity Improvement Act introduced by Senator Mark Warner. Plus, how these developments signal increased regulatory oversight for healthcare providers and the importance of public commentary in shaping these regulations.

Contributions & Community:

Become part of the conversation and help shape future episodes by contributing stories and insights. Visit and click on "Become a Contributor."

Stay Connected:

Don't miss out on our upcoming episodes focused on hacking healthcare. Follow our podcast, like and share this post to spread the word, and join the new 229 cyber and risk community for more in-depth discussions and resources.

Stay Informed, Stay Secure:

Visit for more information and resources to bolster your cybersecurity knowledge and defenses.

Remember, Stay a little paranoid.


  Hey everyone, I'm Drex, and this is the Two Minute Drill. We do at least three security stories at least two times a week, all part of one great community, the 229 Cyber and Risk Community here at This Week Health. This is mostly plain English, mostly non technical, so it's easy to share with other folks in your organization.

And now the 2 Minute Drill is available on Apple Podcasts, or wherever you get your downloads. Just search for This Week Health Newsroom. The Drill is one of a collection of shows in that channel. So smash the like and subscribe button as they say, and thanks in advance for sharing this with your peers.

Uh, I'm glad you're with me today. Here's some stuff you might want to know about. I've talked about this a few times on the two minute drill, the undeniable fact that there's more regulation and more rules coming for critical infrastructure cybersecurity teams, and that means all of us in healthcare, because we're specifically included in the government's definition of critical infrastructure.

That signal of more cyber rules and regulation has been flashing pretty brightly for a while, from the recently released cybersecurity performance goals, to the fact that the SEC has been pressing hard on public companies with new cyber reporting rules, to the reality that there was a piece of legislation signed into law back in 2022 called the Cyber Incident Reporting for Critical Infrastructure Act, or CIRSIA.

And if I'm pronouncing the acronym wrong, somebody Please let me know. Circe tasked CISA, the U. S. Cybersecurity and Infrastructure Agency, to create the rules that will enact the law. And so here we are, two years later, it's time for the rules. And CISA has issued a notice of proposed rulemaking. The notice, it's out.

It's a lot, 447 pages, but there's several stories published about the notice and you can find some of those at ThisWeekHealth. com slash news, but just for convenience. Here's some insights on the content. As written, the notice says we'd all have to report substantial cyber incidents within 72 hours of discovering them.

And if your organization decides to pay a ransom, you'll have to report that within 24 hours. Now, this isn't like the HHS wall of shame. The reports will not repeat will not be publicly disclosed, but the data may be anonymized and then used or shared to help warn other potential victims of adversary activity in our industry.

Now that required reporting would be done to CISA via a website, which is yet to be developed. And the details of those reporting requirements are also under development. So that's some of the reason it's probably important that you read the notice and then go make comments. With most of these regulatory development processes, the devil's in the details.

And so this is your opportunity to help influence the details. The notice of proposed rulemaking is supposed to be published on April 4th, and organizations will have about 60 days to comment on it. CISA has already been gathering lots of information over the past two years in a multitude of ways, so you should expect that the notice, as written, will probably wind up being pretty close to the way the final rules are enacted.

There's always room for improvement, so go comment. There are a few stories about this, along with some interesting embedded opinions, and we've posted those on our website at ThisWeekHealth. com slash news, and all those stories have links to the actual notice for proposed rulemaking, and the notice itself has information on how to submit comments.

Now there's one other story that Bears Quick mentioned today. It's tied to government cybersecurity stuff, and that's a new bill that's been introduced by Senator Mark Warner of Virginia. It's called the Healthcare Cybersecurity Improvement Act, and it would legally enable advanced and accelerated payments from the government to organizations who find themselves cash strapped during a cyber incident, providing cybersecurity requirements.

Now, it turns out, with a lot more reading on my part, this is not what some would like to refer to as a meaningful use program for cybersecurity. But remember, as of right now, it's only a bill, and it's just sitting there on Capitol Hill. And with all bills, there's the potential for a lot of new ideas and markups and rewrites before it ever gets a chance to work.

to become a law. So it's another chance for you to get involved and write your congressman and senator and tell them what you actually want. As the lady once said, never waste a good crisis. And I think cybersecurity has, at least for the moment, everyone's attention. There's a lot of hot stories with healthcare cyber, so I drop all the 2 Minute Drill stories and a bunch more at ThisWeekHealth.

com slash news. And by the way, stopping by the news site each morning is a great way to help start your day. Get the latest, greatest, breakingest news on healthcare. Please like and share this post and tag your friends because security is everyone's business and cyber safety is patient safety. I'm Drex.

That's the 2 Minute Drill. Stay a little paranoid. I'll see you around campus.

2 Minute Drill is Sponsored By

Our Shows

Solution Showcase This Week Health
Keynote - This Week Health2 Minute Drill Drex DeFord This Week Health
Newsday - This Week HealthToday in Health IT - This Week Health

Related Content

1 2 3 250
Transform Healthcare - One Connection at a Time

© Copyright 2023 Health Lyrics All rights reserved