The 6-Hour Rule: What CERT-In Actually Requires From Indian Healthcare Providers

Author : Nitin Ray | Published On : 03 Jul 2026

Six hours. That's how long a hospital or clinic in India has to report a significant cyber incident to CERT-In after discovery — not after the forensic team confirms what happened, not after legal signs off on a statement. Six hours from the moment a credible alert lands on the security team's desk.

For most healthcare providers, this single requirement exposes a structural gap. Detecting an anomaly and confirming whether it's a genuine breach or a false alarm within six hours requires automated monitoring most clinics simply don't have. Manual log review, an overnight-only IT team, or a security process built around weekly check-ins — all of it collapses against a six-hour clock.

The second CERT-In requirement compounds the problem: system logs must be retained for a minimum of 180 days, stored within India, tamper-proof, and time-synchronized across the network. If auditors request logs from three months back and they're missing, altered, or inconsistent, the facility is already in violation — regardless of whether an actual breach occurred.

Together, these two rules push Indian healthcare cyber security out of the "annual audit" mindset and into continuous, provable monitoring. Practically, that means:

  • Centralized, automated log collection — not logs scattered across individual device systems
  • A defined internal escalation path so a credible alert reaches a decision-maker in minutes, not days
  • Tamper-proof log storage that's genuinely retrievable within India, not just backed up somewhere convenient

Facilities still relying on spreadsheets and manual audit prep are the ones most likely to fail a CERT-In review — not because their security is necessarily weak, but because they can't produce proof fast enough.

The complete regulatory picture — including how this compares to U.S. HHS requirements and what a defensible security posture actually looks like operationally — is here: https://ruleexpert.com/healthcare-cyber-security-2026-mandates/.