The 6-Hour Rule: What CERT-In Actually Requires From Indian Healthcare Providers
Author : Nitin Ray | Published On : 03 Jul 2026
Six hours. That's how long a hospital or clinic in India has to report a significant cyber incident to CERT-In after discovery — not after the forensic team confirms what happened, not after legal signs off on a statement. Six hours from the moment a credible alert lands on the security team's desk.
For most healthcare providers, this single requirement exposes a structural gap. Detecting an anomaly and confirming whether it's a genuine breach or a false alarm within six hours requires automated monitoring most clinics simply don't have. Manual log review, an overnight-only IT team, or a security process built around weekly check-ins — all of it collapses against a six-hour clock.
The second CERT-In requirement compounds the problem: system logs must be retained for a minimum of 180 days, stored within India, tamper-proof, and time-synchronized across the network. If auditors request logs from three months back and they're missing, altered, or inconsistent, the facility is already in violation — regardless of whether an actual breach occurred.
Together, these two rules push Indian healthcare cyber security out of the "annual audit" mindset and into continuous, provable monitoring. Practically, that means:
- Centralized, automated log collection — not logs scattered across individual device systems
- A defined internal escalation path so a credible alert reaches a decision-maker in minutes, not days
- Tamper-proof log storage that's genuinely retrievable within India, not just backed up somewhere convenient
Facilities still relying on spreadsheets and manual audit prep are the ones most likely to fail a CERT-In review — not because their security is necessarily weak, but because they can't produce proof fast enough.
The complete regulatory picture — including how this compares to U.S. HHS requirements and what a defensible security posture actually looks like operationally — is here: https://ruleexpert.com/healthcare-cyber-security-2026-mandates/.
