The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 came into effect on 8 April 2022.
Why is this relevant to me you ask?
Well, the amendment extends the scope of the of the Security of Critical Infrastructure Act 2018 to also apply to healthcare and the medical sector and has a set of regulatory functions under the Act such as the Risk Management Program, Register of Critical Infrastructure Assets and Mandatory Cyber Incident Reporting.
I heard that this is only relevant to hospitals and only ones with ICUs, is that correct?
The key focus of the current version of amendments is on hospitals with Intensive Care Units, however it is important for all healthcare organisations to be aware of the requirements as the original version of the Act amendments had a raft of additional considerations but got scaled down, so the scope is likely to be extended. I guess I am saying, take a bit of time out to familiarise yourself and be prepared!
OK, OK, so you have my attention, what is this all about?
Basically, from 8 April, hospitals need to register their critical infrastructure assets. You can do this at the Cyber and Infrastructure Security Centre Cyber and Infrastructure Security Centre (cisc.gov.au), for more info see this fact sheet CISC Factsheet – Register of Critical Infrastructure Assets 25 March 2022. Additionally, any security incident in relation to these assets needs to comply with mandatory cyber Incident reporting – see this fact sheet on the incident reporting processes CISC Factsheet – Cyber Security Incident Reporting.
But as mentioned the act itself covers not just hospitals but the whole healthcare and medical section, as such in time other organisations and not just hospitals will need to adhere to the act’s requirements, so get ready early.
More info
The amendment introduces the following:
- A new obligation for responsible entities to create and maintain a critical infrastructure risk management program, and
- A new framework for enhanced cyber security obligations required for operators of systems of national significance (Australia’s most important critical infrastructure assets – SoNS)
Under the Enhanced Cyber Security Obligations, the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more prescribed cyber security activities:
- develop cyber security incident response plans to prepare for a cyber incident.
- undertake cyber security exercises to build cyber preparedness.
- undertake vulnerability assessments to identify vulnerabilities for remediation.
Anna Hall, CIO Headspace and Vice-Chair Cybersecurity CoP, July 2022