Compatible Services

Major HIPAA Update: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Originally Published on the Darkhorse Tech blog

Without specialized support for IT, Cybersecurity, and HIPAA compliance, you are putting your practice, employees, patients, and career at risk.  Under-protected practices are experiencing compromised data, lost revenue, and damaged reputations (beyond repair), and now run the risk of repercussions from The Department of Justice and the Department of Health and Human Services.  IT, cybersecurity, and HIPAA compliance are glaring weaknesses in the Dental Industry and as of 2022, cybercriminals have made Dental Practices (and the Healthcare Provider Sector as a whole) the number one target for ransomware and other cyberattacks, the time to put a comprehensive plan in place, is NOW.

As of March 15th, 2022, Dental Practices are subject to The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This means specialized support for IT, Cybersecurity, and HIPAA compliance aren’t just nice additions, they could be practice-saving additions.

What Does It Do?


The new law mandates the reporting of cyberattacks (of ANY kind) to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.  CIRCIA creates a partnership between CISA and Health and Human Services, defines reporting requirements, and establishes escalation to the Department of Justice for non-compliance.


Who is Accountable?


CIRCIA, signed after a ramped-up focus on cybersecurity and amid growing concern of retaliatory attacks targeting the US due to the Russian invasion of Ukraine, establishes reporting requirements of 72 hours for “cyber incidents” and 24 hours for ransomware payments to CISA by the “covered entity”.  As one of the sixteen critical infrastructure sectors, Dentists (#2 named profession under healthcare providers sector as shown below) will be held accountable. Those impacted will also be required to preserve all forensic data during or immediately following an attack. Too many substandard IT practitioners have wiped and reloaded data without a proper investigation, this ends now.

Am I Safe?


The majority of Dental Practices in the USA do not have the basic but critical infrastructure in place (Actively Managed Firewalls, Security Software, Backups, Dental-Specific IT, Cybersecurity experts, or comprehensive HIPAA compliance management) to prevent, mitigate, or recover from a cyber-attack, let alone handle these new reporting requirements.  Without adequate preparation and response, Dental Practices will be subject to a subpoena and failure to comply may result in the referral of the matter to the Department of Justice.  Those who can prove proper risk analysis and an ongoing security management plan will face no financial penalty. Can you prove that you are covered?

But I Already Have IT

Dental Practices will scramble to comply with this law and worse, without an adequate plan in place, your data may already be compromised. With ePHI vulnerable to attack in both server and cloud-based environments, anything other than Dental-specific IT is insufficient and is likely to result in vulnerability, financial loss, downtime, and now, government-mandated repercussions.  Managed Service Providers are literally named in this bill – if you don’t have one, you need one.

What Do I Do Now?

Step one in avoiding this growing threat is putting the right prevention measures in place.  As Dental Practices require specific knowledge when it comes to their IT network, Cybersecurity, and HIPAA compliance (as outlined by this bill), professionals with industry knowledge can offer insight into your current vulnerabilities, offer solutions to safeguard your practice, and in the event of an attack, help you meet reporting requirements and get you on the road to recovery as efficiently as possible.

To learn more about the prevention and mitigation measures in place at Darkhorse Tech and how we recommend covering your Cybersecurity and HIPAA compliance, please reach out to us for a complimentary IT audit.

A penny for your thoughts...

This site uses Akismet to reduce spam. Learn how your comment data is processed.