Education Technology

What Does the CIRCIA Law Mean For Care Providers?

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law on March 15th, 2022. This act applies to all companies that operate in a critical infrastructure sector, including healthcare companies. 

Every company that deals with protected health information (PHI) must be HIPAA compliant. This entails having physical, network, and operational security measures in place as well as specialized IT and cybersecurity support. HIPAA compliant practices are tightly protected from cyberattacks and potential losses. In contrast, non-compliant, under-protected practices put patients and employees at risk of damaging their revenue and reputation.

What is CIRCIA?  

CIRCIA provides new reporting requirements related to ransomware payments and other cybersecurity incidents for all companies that provide critical infrastructure. Thus, dental, medical, and other critical infrastructure companies MUST report ALL cyber incidents within 72 hours and all ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security. This applies whether the company has knowledge of a cyber incident or believes that a cyber incident has occurred.

Companies that fail to comply with CIRCIA requirements will face regulatory enforcement action or potential criminal prosecution by the Department of Justice. This means that specialized IT management, including cybersecurity support and HIPAA compliance, is no longer an option for your dental practice. Instead, it is a necessity that will save your reputation, career, and practice should an incident occur.

Why is CIRCIA necessary for care providers? 

Occurrences of retaliatory cyber attacks targeted at the US have dramatically increased since Russia invaded Ukraine. These attacks necessitated the establishment of CIRCIA. As one of the sixteen critical infrastructure sectors, dental and medical practices are subject to this act.

It has been observed that most dental and medical practices in the U.S. lack the infrastructure to prevent cyber attacks. An absence of managed firewalls, security software, specialized IT, cybersecurity experts, and HIPAA non-compliance means that many dental practices are prone to cybersecurity breaches and even left unable to recover from attacks. What’s more, these practices are finding they cannot handle the expansive CIRCIA reporting requirements on their own.

Thus, CIRCIA mandates these practices put structures and processes that ensure valuable patient and public health data is secure. Care provider practices must comply with these mandates to avoid facing regulatory action or possible criminal prosecution from the Department of Justice. It’s important to note, practices that can prove proper risk analysis and an ongoing security management plan will face no financial penalty.

What if I already have someone who manages my IT network?

It is not enough to have a simple IT program implemented in your office. Electronic PHI is highly vulnerable to cyberattacks, whether in server or cloud-based environments. Without experienced data security experts on your side, your data is highly likely to be compromised, leading to financial and reputational losses. With CIRCIA in place, you may now face government repercussions on top of these losses.
The CIRCIA bill mandates that all companies have Managed Service Providers to bolster cybersecurity. For care provider practices, this means getting dental and medical specific IT. In the event of an attack, such professionals can also assist you in meeting reporting requirements and recovering efficiently. Industry-agnostic Managed Service Providers lack the expertise needed to keep your practice safe and compliant. 

If you would like to learn more about the safeguards IRIS puts in place to protect your business and how we recommend covering your Cybersecurity and HIPAA compliance, please reach out to to schedule a complimentary IT audit.

Leave a comment

Your email address will not be published.