Introduction: Healthcare Industry
The healthcare industry is voicing strong objections to the Cybersecurity and Infrastructure Security Agency’s (CISA) proposed cyber incident reporting rule. The proposed rule, part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), aims to enhance the speed and scope of cyber incident reporting for entities considered critical infrastructure. However, healthcare organizations argue that the proposal is both redundant and burdensome.
Overview of CISA’s Proposed Cyber Incident Reporting Rule
In early April, CISA unveiled a proposed rule designed to implement CIRCIA. The rule mandates faster and more detailed reporting of cyber incidents to improve the government’s ability to identify threats, spot adversary campaigns earlier, and coordinate responses with public and private partners. The rule specifically targets hospitals with over 100 beds, critical access hospitals, manufacturers of essential medicines, high-risk medical device makers, and various IT entities within the healthcare sector.
Healthcare Industry’s Concerns
Burden on Healthcare Organizations
Healthcare groups, including the American Hospital Association (AHA), argue that the proposed reporting timelines would strain resources at a critical time. The 72-hour incident reporting requirement is deemed unrealistic as it would divert the focus of cybersecurity, IT, legal, compliance, and leadership teams from ensuring clinical and operational continuity during an attack.
Redundancy with Existing Regulations
The healthcare sector is already subject to extensive cyber incident reporting requirements under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Organizations like the College of Healthcare Information Management Executives (CHIME) and the Medical Group Management Association (MGMA) have called for the harmonization of CISA’s rules with existing regulations to eliminate redundancy.
Data Preservation Requirements
The proposed rule also requires organizations to preserve a large volume of data logs, forensics, and communications for two years following an incident. The AHA highlights the significant data storage capacity and additional staffing that this requirement would necessitate, imposing a substantial burden on healthcare providers.
Security Risks of Reporting
There is also concern about the security of the information submitted to CISA. Healthcare groups worry that detailed outlines of their cyber defenses could become targets for cybercriminals. Past breaches of CISA’s systems heighten these concerns, as noted by the AHA and CHIME.
Specific Concerns of Healthcare Organizations
American Hospital Association (AHA)
The AHA argues that the 72-hour reporting requirement is unreasonable and distracts from essential cybersecurity efforts during an attack. They also highlight the potential financial and staffing burdens posed by the data preservation mandate.
College of Healthcare Information Management Executives (CHIME)
CHIME members express concern about sharing detailed cyber defenses with CISA, fearing that this information could become a high-value target for cybercriminals. They also emphasize the need for clear inclusion criteria to avoid ambiguity about which entities are covered by the rule.
Medical Group Management Association (MGMA)
MGMA notes that group medical practices, while not specifically named, would often fall under the proposed rule’s enforcement based on size standards. They advocate for raising the threshold for reporting requirements to avoid undue burdens on smaller practices.
American Medical Association (AMA)
The AMA underscores the interconnectedness of the healthcare sector, using the attack on Change Healthcare as an example of how a single vendor’s breach can impact numerous organizations. They call for explicit inclusion criteria to ensure comprehensive coverage of all relevant entities.
America’s Health Insurance Plans (AHIP)
AHIP calls for simplified and uniform reporting requirements and clearer definitions of what constitutes a “covered cyber incident.” They also recommend that third-party vendors act as the primary reporting entity on behalf of their provider and insurer customers to reduce duplicative reporting.
Recommendations for Improvement
Healthcare Industry suggests several improvements to the proposed rule:
1. Simplify and reduce the reporting burden to focus on critical incidents.
2. Harmonize CISA’s requirements with existing HIPAA and HITECH regulations to avoid redundancy.
3. Increase the threshold for reporting requirements to exclude smaller entities.
4. Ensure that detailed cyber defense reports are secure and not susceptible to breaches.
5. Include explicit criteria for health insurers, health IT vendors, and other third parties.
Conclusion
While the goal of improving cyber incident reporting is commendable, CISA’s proposed rule places significant burdens on the healthcare industry. By addressing the concerns and recommendations of healthcare organizations, CISA can develop a more effective and practical reporting framework that enhances cybersecurity without overburdening critical healthcare providers.
Discover the latest payers’ news updates with a single click. Follow DistilINFO HealthPlan and stay ahead with updates. Join our community today!
FAQs
1. What is CISA’s proposed cyber incident reporting rule?
A. CISA’s proposed rule requires faster and more detailed reporting of cyber incidents by entities considered critical infrastructure, including healthcare providers.
2. Why is the healthcare industry against the proposed rule?
A. Healthcare Industry argues that the rule is redundant with existing regulations, imposes significant burdens, and poses security risks.
3. What are the main concerns of the Healthcare Industry?
A. Concerns include the 72-hour reporting requirement, data preservation mandates, security risks of reporting, and the lack of clear inclusion criteria.
4. What improvements do the Healthcare Industry suggest?
A. They recommend simplifying the reporting burden, harmonizing requirements with existing regulations, increasing reporting thresholds and ensuring the security of detailed reports.
5. How can CISA address these concerns?
A. By streamlining reporting requirements, harmonizing with existing rules, and clarifying inclusion criteria, CISA can create a more practical and effective framework for cyber incident reporting.
