CISA Proposes Cyberattack Reporting Rules for Critical Infrastructure Entities

Posted by Steve Alder

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has proposed a rule that implements cyberattack and ransom payment reporting requirements for critical infrastructure entities, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

In March 2022, CIRCIA was signed into law by President Biden, one of the requirements of which was for CISA to develop and implement new regulations that require critical infrastructure entities, including hospitals and health systems, to report covered cyber incidents and ransomware payments to CISA. The purpose of the reporting is to provide CISA with timely information about cyberattacks to allow resources to be rapidly deployed and assistance provided to support victims of cyberattacks and allow CISA to rapidly identify cyberattack trends and disseminate information to help network defenders prevent further attacks.

When developing the new requirements, CISA consulted with various entities, including the Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, the DHS-chaired Cyber Incident Reporting Council, and non-federal stakeholders.

Incidents That Should Be Reported

  • Unauthorized access to systems
  • Denial of Service (DOS) attacks that last more than 12 hours
  • Malicious code on systems, including variants if known
  • Targeted and repeated scans against services on systems
  • Repeated attempts to gain unauthorized access to systems
  • Email or mobile messages associated with phishing attempts or successes
  • Ransomware against critical infrastructure, including variant and ransom details if known

Information That Should be Shared

  1. Incident date and time
  2. Incident location
  3. Type of observed activity
  4. Detailed narrative of the event
  5. Number of people or systems affected
  6. Company/Organization name
  7. Point of Contact details
  8. Severity of event
  9. Critical Infrastructure Sector if known
  10. Anyone else that has been informed

Proposed Timeframe for Reporting

Time is of the essence when reporting incidents. The sooner CISA is informed, the faster information can be shared to warn other organizations in the sector about attackers’ tactics, techniques, and procedures. Covered entities will be required to report covered incidents within 72 hours, and ransom payments will need to be reported within 24 hours of payment being made.

Since some of the requirements of CIRCIA are regulatory, CISA is first required to publish a Notice of Proposed Rulemaking (NPRM) in the Federal Register and accept public comments for 60 days. The NMPR was published in the Federal Register on March 27, 2024. The Final Rule will be published within 18 months of the date of the NPRM.

The new reporting requirements will not be mandatory until the Final Rule takes effect; however, CISA encourages all critical infrastructure entities to voluntarily report cyberattacks and ransom payments ahead of the compliance date. The information shared will allow CISA to provide assistance and warnings to other organizations to prevent them from suffering similar attacks.

A fact sheet has been released that summarizes key requirements and the NPRM can be viewed in the Federal Register.

The post CISA Proposes Cyberattack Reporting Rules for Critical Infrastructure Entities appeared first on HIPAA Journal.

California and North Dakota Hospitals Report Cyberattacks

Posted by Steve Alder

Cyberattacks have been reported by Pembina County Memorial Hospital, Pomona Valley Hospital Medical Center, and Rancho Family Medical Group. The Massachusetts Department of Developmental Services has discovered documents containing PHI have been left unsecured for a decade.

Pembina County Memorial Hospital

Pembina County Memorial Hospital in Cavalier, ND, has recently confirmed that unauthorized individuals gained access to its network and exfiltrated sensitive patient data. Suspicious activity was detected within its network on April 13, 2023, and after securing its systems, a forensic investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that there had been unauthorized access to its network between March 7, 2023, and April 13, 2023, and files had been exfiltrated from the network.

The forensic investigation and document review took almost a year, with the hospital stating in its breach notice that those processes were not completed until March 4, 2024. The types of information involved varied from individual to individual and may have included first and last names in combination with one or more of the following: address, phone number, email address, date of birth, driver’s license number, government identification number, vehicle identification number, passport number, Social Security number, patient ID account number, medical information, health information and/or health insurance information.

Pembina County Memorial Hospital said it has implemented additional cybersecurity safeguards, enhanced its cybersecurity training, and revised and updated its policies, procedures, and protocols. Complimentary identity monitoring and protection services have been offered to individuals whose Social Security numbers were involved. The breach is not yet showing on the HHS’ Office for Civil Rights breach portal, but the notification sent to the Maine Attorney General indicates that 23,451 individuals have been affected.

Pomona Valley Hospital Medical Center

Pomona Valley Hospital Medical Center in California is notifying 13,345 individuals about a data breach at a subcontractor of one of its business associates. The hospital used a vendor to run its patient-management tool, and the vendor subcontracted out the storage of the underlying data to another company. In November 2023, the vendor was unable to access the patient management tool and worked with its subcontractor to address the problem. The access problems were due to a ransomware attack.

The attacker was discovered to have accessed patient data, including names, medical record numbers, dates of birth, and clinical information such as allergies, diagnoses, medications, and doctors’ notes. The hospital clarified the data that was involved, verified contact information, and notification letters have now been sent to the affected individuals. The hospital has confirmed that it no longer uses the vendor or subcontractor in connection with patient data.

Rancho Family Medical Group

Rancho Family Medical Group, Inc., a 10-location Californian health system, has confirmed that it has been affected by a data breach at its business associate, KMJ Health Solutions, a provider of online signout and charge capture systems.

Rancho Family Medical Group was notified on January 11, 2024, that there had been unauthorized access to the KMJ Health Solutions network on November 19, 2023. The compromised parts of the network contained the protected health information of 10,480 individuals, including names, dates of birth, hospital medical record numbers, hospital treatment locations, dates of service, and procedure medical codes. Rancho Family Medical Group mailed individuals notifications to the affected individuals on March 11, 2024, along with information about the steps that the affected individuals can take to protect themselves against misuse of their data.

Massachusetts Department of Developmental Services

The Massachusetts Department of Developmental Services (DDS), a state agency that provides support to individuals with intellectual and developmental disabilities across the state, has discovered physical records have been exposed and may have been accessed by unauthorized individuals.

Personal documents containing protected health information were inadvertently left in buildings that were part of the former Walter E. Fernald Developmental Center campus in Waltham, MA, which was sold to the city of Waltham in 2014. The records included the PHI of individuals served by the DSS at the Fernald Developmental Center, as well as some staff records. DDS received a complaint about the documents on January 11, 2024, and visited the facilities to recover the documents the following day.

The documents had been improperly stored in the buildings since 2014 and many had degraded, so it was not possible to tell the exact types of information that had been exposed. Some documents contained names, dates of birth, diagnoses, medical information, medication/prescription information, and other treatment information. Financial account information or Social Security numbers have not been found, but DDS said it could not confirm whether those data types had been exposed due to the state of the documents. Similarly, it may not be possible to determine exactly how many people have been affected. An interim figure of 500 individuals was used when reporting the breach. DDS is now awaiting recommendations from the State Archivist and Secretary of State’s Office on how long the documents should be retained.

The post California and North Dakota Hospitals Report Cyberattacks appeared first on HIPAA Journal.