This week, Health-ISAC®‘s Hacking Healthcare® endeavors to bring you up to speed on what is happening at the Cybersecurity and Infrastructure Security Agency (CISA) after Congressional funding ended a 76-day shutdown affecting the critical cyber agency.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version:
Text Version:
Welcome back to Hacking Healthcare® !
Americas Hobby Exercise 2026
Before we jump into today’s article, we are rapidly approaching the seventh annual Americas Hobby Exercise, and we encourage Health-ISAC members to consider registering their interest to attend. The exercise is an all-day workshop and tabletop exercise with Health-ISAC members, United States Government (USG) agencies, and other critical infrastructure sectors. The exercise is designed to raise awareness of issues faced by the healthcare sector during and after a major incident and to build enduring relationships within and across the health sector and government to strengthen understanding, response, and recovery plans and activities.
This year’s Hobby Exercise will be held on June 24 in Washington, D.C. Members can register their interest here:
https://portal.h-isac.org/s/community-event?id=a1YVn000005srUHMAY.
For those interested in learning more, last year’s report can be found here: https://health-isac.org/2025-americas-hobby-exercise-after-action-report/
Assessing CISA After an Extended Shutdown
On April 30, after 76 days of a shutdown, President Trump signed a compromise congressional bill to fund the Department of Homeland Security (DHS). This funding has allowed CISA to begin ramping back up to full operational status. As a result, now is a good time to assess where the agency is on the long-awaited (and technically overdue) Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) final rule, and what critical infrastructure sectors should make of CISA’s newly introduced “CI Fortify” initiative.
CIRCIA Update
Passed in 2022, the law’s primary focus was to establish reporting requirements for covered cyber incidents and ransom payments across a range of covered entities. The expectation is that these reports will help CISA respond where needed while providing policymakers with a clearer picture of the overall threat landscape and its impacts on covered entities. CISA’s role in finalizing CIRCIA includes developing a final rule that clarifies many of CIRCIA’s technical details.
The language within CIRCIA ultimately directed CISA to produce a final rule by October of last year. When CISA missed this deadline, it was speculated that the new target date might be in the Spring of 2026, based on evidence in the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions suggesting it could be published in May. Skepticism about this new target date grew when CISA published a notice in February of this year announcing its intention to hold a series of town halls in March and April to gather more stakeholder feedback to “refine” the “scope and burden” of CIRCIA.[i] This effort was then stalled as the government shutdown paused all non-essential operations.
With the shutdown now over, the information currently available from CISA on their CIRCIA webpage[ii] indicates that they still intend to have these town halls, and they point to the shutdown as “likely” resulting “in a delay to the issuance of the CIRCIA final rule.”[iii]
Fortify!
Despite the shutdown only recently ending, CISA has launched a new initiative to build resilience among the nation’s critical infrastructure entities. On May 5th, CISA published a press release announcing “CI Fortify.”[iv] CISA describes the effort as guidance “to help critical infrastructure (CI) entities across all sectors prepare to operate through a crisis or conflict, continuing vital service delivery even as their systems are under attack,” while “…strengthen[ing] resilience and help[ing] CI entities and their partners maintain a baseline of continuity for critical services during a cyberattack.”[v]
The current webpage for the initiative specifically highlights the threats posed by nation-state actors to critical infrastructure, especially in the context of a “wider geopolitical conflict”. The initiative appears to focus on “isolation” and “recovery” capabilities as a means to “sustain essential operations during a geopolitical conflict.”[vi] Isolation refers to the ability to proactively disconnect from third parties as needed and to maintain the ability to provide essential services for an extended period (months). Recovery refers to ensuring adequate documentation, back-ups, and addressing communications dependencies.
There is also a “call to action for non-operators” that helps identify how Industrial Automation Control System Vendors & Suppliers, Managed Service Providers & Integrators, Security Vendors, and Volunteers can help with efforts.
There do not appear to be specific objectives, timelines, funding, or new resources related to CI Fortify at this time.
Action & Analysis
**Included with Health-ISAC Membership**
[i] https://www.federalregister.gov/documents/2026/02/13/2026-02948/cyber-incident-reporting-for-critical-infrastructure-act-circia-rulemaking-town-hall-meetings
[ii] https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia
[iii] https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia
[iv] https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure
[v] https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure
[vi] https://www.cisa.gov/topics/industrial-control-systems/ci-fortify
[vii] https://health-isac.org/health-isac-hacking-healthcare-2-19-2026/
[viii] https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/circia/faqs
[ix] https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/circia/faqs
[x] https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure
[xi] https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure
- Related Resources & News
- The Rise of CalPhishing Attacks in the Health Sector
- Best Practices for Managing Third-Party Identity and Access Management
- What Healthcare Leaders Need to Know About Cybersecurity in 2026-2027
- What Trump’s AI Executive Order Means for Healthcare Sector
- Health Care and Social Assistance Threat Landscape Report
- Agentic AI in Healthcare Is a Risky Proposition
- Live@eXchange Day 2 – Health-ISAC Medical Device Security Analyst
- Health-ISAC Hacking Healthcare 6-3-2026
- New Vulnerabilities Aimed at Healthcare Industry
- Monthly Newsletter – June 2026