Hey everyone, I'm Drex, and this is the Two Minute Drill. We do at least three security stories at least two times a week, all part of one great community, the 229 Cyber and Risk Community here at This Week Health. This is mostly plain English, mostly non technical, so it's easy to share with other folks in your organization.

And now the 2 Minute Drill is available on Apple Podcasts, or wherever you get your downloads. Just search for This Week Health Newsroom. The Drill is one of a collection of shows in that channel. So smash the like and subscribe button as they say, and thanks in advance for sharing this with your peers.

Uh, I'm glad you're with me today. Here's some stuff you might want to know about. I've talked about this a few times on the two minute drill, the undeniable fact that there's more regulation and more rules coming for critical infrastructure cybersecurity teams, and that means all of us in healthcare, because we're specifically included in the government's definition of critical infrastructure.

And if I'm pronouncing the acronym wrong, somebody Please let me know. Circe tasked CISA, the U. S. Cybersecurity and Infrastructure Agency, to create the rules that will enact the law. And so here we are, two years later, it's time for the rules. And CISA has issued a notice of proposed rulemaking. The notice, it's out.

It's a lot, 447 pages, but there's several stories published about the notice and you can find some of those at ThisWeekHealth. com slash news, but just for convenience. Here's some insights on the content. As written, the notice says we'd all have to report substantial cyber incidents within 72 hours of discovering them.

And if your organization decides to pay a ransom, you'll have to report that within 24 hours. Now, this isn't like the HHS wall of shame. The reports will not repeat will not be publicly disclosed, but the data may be anonymized and then used or shared to help warn other potential victims of adversary activity in our industry.

Now that required reporting would be done to CISA via a website, which is yet to be developed. And the details of those reporting requirements are also under development. So that's some of the reason it's probably important that you read the notice and then go make comments. With most of these regulatory development processes, the devil's in the details.

And so this is your opportunity to help influence the details. The notice of proposed rulemaking is supposed to be published on April 4th, and organizations will have about 60 days to comment on it. CISA has already been gathering lots of information over the past two years in a multitude of ways, so you should expect that the notice, as written, will probably wind up being pretty close to the way the final rules are enacted.

There's always room for improvement, so go comment. There are a few stories about this, along with some interesting embedded opinions, and we've posted those on our website at ThisWeekHealth. com slash news, and all those stories have links to the actual notice for proposed rulemaking, and the notice itself has information on how to submit comments.

Now there's one other story that Bears Quick mentioned today. It's tied to government cybersecurity stuff, and that's a new bill that's been introduced by Senator Mark Warner of Virginia. It's called the Healthcare Cybersecurity Improvement Act, and it would legally enable advanced and accelerated payments from the government to organizations who find themselves cash strapped during a cyber incident, providing cybersecurity requirements.

Now, it turns out, with a lot more reading on my part, this is not what some would like to refer to as a meaningful use program for cybersecurity. But remember, as of right now, it's only a bill, and it's just sitting there on Capitol Hill. And with all bills, there's the potential for a lot of new ideas and markups and rewrites before it ever gets a chance to work.

to become a law. So it's another chance for you to get involved and write your congressman and senator and tell them what you actually want. As the lady once said, never waste a good crisis. And I think cybersecurity has, at least for the moment, everyone's attention. There's a lot of hot stories with healthcare cyber, so I drop all the 2 Minute Drill stories and a bunch more at ThisWeekHealth.

com slash news. And by the way, stopping by the news site each morning is a great way to help start your day. Get the latest, greatest, breakingest news on healthcare. Please like and share this post and tag your friends because security is everyone's business and cyber safety is patient safety. I'm Drex.

That's the 2 Minute Drill. Stay a little paranoid. I'll see you around campus.