Blood centers are included in the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) proposed rule on cyber incident reporting that was recently published. The cyber incident reporting proposed rule is titled, “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements.” Under the DHS CISA cyber incident reporting proposed rule, blood centers and other covered critical infrastructure organizations would be required to report covered cyber incidents to the federal government within 72 hours and ransom payments within 24 hours, in addition to other provisions.
As explained by America’s Blood Centers (ABC) Vice President of Government Affairs Diane Calmus, JD in MCN 24-023, blood centers are specifically included in the healthcare critical infrastructure sector of the cyber incident reporting proposed rule. Thus, blood centers will need to determine if they are a covered entity in the cyber incident reporting proposed rule through one of two means:
- Size: “exceed the U.S. Small Business Administration’s (SBA) small business size standard based on either number of employees or annual revenue, depending on the industry (which can be determined online – for NAICS code 621991 ‘Blood and Organ Banks’ with less than $40,000,000 average annual revenue over the past 5 years);” or
- By meeting any one of three “sector-based criteria:
- certain entities providing direct patient care; or
- manufacturers of drugs listed in Appendix A of the report Essential Medicines Supply Chain and Manufacturing Resilience Assessment, sponsored by the U.S. Department of Health and Human Services (HHS) Administration for Strategic Preparedness and Response (ASPR); or
- manufacturers of Class II (moderate risk) and Class III (high risk) devices, as defined in 21 U.S.C. 360c.”
While blood and blood products are not currently included on the list of Essential Medicines referenced in the second sector-based criteria, ABC and the blood community have urged the U.S. Department of Health and Human Services (HHS) to include blood and blood components on this list due to the importance of blood during disasters including pandemics. If blood were included, all blood centers would need to report under the cyber incident reporting proposed rule.
The cyber incident reporting proposed rule is pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which was signed into law in March 2022 in response to a failure of entities to voluntarily report breaches and disjointed federal responsibility that lacked information sharing. The rule broadly construes covered critical infrastructure to require a comprehensive grouping of entities to report breaches with the goal of improving available information to allow for counter measures and patching of vulnerability. The reports submitted by those that have experienced attacks will not be public, though anonymized information from the reports may be released to warn against similar attacks. Comments regarding the proposed rule are due June 3rd. ABC will continue to provide updates on the proposed rule and its advocacy efforts.