Providers must have a robust incident response plan and notify MOH within two hours of a significant cybersecurity incident or data breach.