Federal agency CISA unveils long-anticipated mandate for reporting on critical infrastructure systems
Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), entities operating within one or more of the 16 critical infrastructure sectors, as defined under Presidential Policy Directive 21 (PPD-21), are required to report certain cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). The proposed rule, currently under public inspection, will impact more than 316,000 entities, including those in the healthcare sector.
The Proposed Rule, posted by the Department of Homeland Security on the Federal Register site, requires covered entities to report significant cyber incidents within 72 hours of discovery and ransomware payments within 24 hours. Notably, the rule covers the entire corporate entity even if only part of it is affected.
In the healthcare sector, the Cyber Incident Reporting requirements intersect with the Healthcare Cybersecurity Act of 2025, which aims to strengthen cybersecurity coordination between CISA and the Department of Health and Human Services (HHS). The Act focuses on tailored federal support and coordination to improve the cybersecurity posture in healthcare without imposing additional regulatory burdens.
The Healthcare Cybersecurity Act of 2025 appoints a cybersecurity liaison to improve communication, intelligence sharing, risk management, and incident response tailored to healthcare entities. This coordination intends to improve healthcare sector resilience by facilitating cyber threat intelligence sharing, supporting risk management and training, enhancing incident coordination between federal agencies, and reporting on progress and challenges for cybersecurity improvements in the healthcare public sector within 18 months of enactment.
While CIRCIA mandates reporting for healthcare entities as part of the critical infrastructure, the Healthcare Cybersecurity Act of 2025 specifically focuses on tailored federal support and coordination to improve cybersecurity posture in healthcare without additional regulatory imposition.
| Aspect | Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) | Healthcare Cybersecurity Act of 2025 | |----------------------------|---------------------------------------------------------------------------|------------------------------------------------------------| | Covered Entities | Entities in any of the 16 critical infrastructure sectors (including healthcare), entire corporate entities covered | Healthcare and Public Health sector entities | | Reporting Requirements | Report covered cyber incidents in 72 hours; ransomware payments in 24 hours | No new reporting requirements; focused on coordination and federal support | | Impact on Healthcare | Healthcare entities as critical infrastructure must comply with reporting | Appointment of liaison to improve inter-agency coordination, intelligence sharing, training, and response | | Goal | Rapid government visibility into critical cyber incidents and ransomware | Strengthen sector-wide cybersecurity posture without new burdens |
The final details about which entities will be fully required to comply under the new rule are yet to be determined. A 60-day comment period will follow the formal publication, allowing for written responses from the public. The proposed rule is designed to help federal authorities share vital details with industry and government partners, ultimately improving the response to cyber threats for critical infrastructure.
According to CISA Director Jen Easterly, CIRCIA is a game changer for the cybersecurity community and will allow for better understanding of threats, earlier spotting of adversary campaigns, and more coordinated action with partners. However, the impact on entities beyond the initially estimated 316,000 is yet to be seen.
References: 1. Cyber Incident Reporting for Critical Infrastructure Act of 2022 2. Healthcare Cybersecurity Act of 2025 3. CISA Notice of Proposed Rulemaking
Under the Cybersecurity and Infrastructure Security Agency (CISA) regulations, entities in the healthcare sector, being a part of the critical infrastructure, are required to report ransomware payments within 24 hours and significant cyber incidents within 72 hours due to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
To further improve the cybersecurity posture in the healthcare sector, the Healthcare Cybersecurity Act of 2025 focuses on strengthening coordination between CISA and the Department of Health and Human Services (HHS) through a cybersecurity liaison, promoting intelligence sharing, risk management, training, and incident response tailored to healthcare entities.
