{"id":12340,"date":"2024-07-09T10:23:03","date_gmt":"2024-07-09T10:23:03","guid":{"rendered":"https:\/\/distilinfo.com\/healthplan\/?p=12340"},"modified":"2024-07-09T10:23:03","modified_gmt":"2024-07-09T10:23:03","slug":"healthcare-industry-efficient-cyber","status":"publish","type":"post","link":"https:\/\/distilinfo.com\/healthplan\/healthcare-industry-efficient-cyber\/","title":{"rendered":"Healthcare Industry Pushes for Efficient Cyber Reporting Solutions"},"content":{"rendered":"\r\n<div id=\"rank-math-toc\" class=\"wp-block-rank-math-toc-block has-electric-grass-gradient-background has-background\"><nav>\r\n<ul>\r\n<li><a href=\"#introduction-healthcare-industry\">Introduction: Healthcare Industry<\/a><\/li>\r\n<li><a href=\"#overview-of-cis-as-proposed-cyber-incident-reporting-rule\">Overview of CISA&#8217;s Proposed Cyber Incident Reporting Rule<\/a><\/li>\r\n<li><a href=\"#healthcare-industrys-concerns\">Healthcare Industry&#8217;s Concerns<\/a>\r\n<ul>\r\n<li><a href=\"#burden-on-healthcare-organizations\">Burden on Healthcare Organizations<\/a><\/li>\r\n<li><a href=\"#redundancy-with-existing-regulations\">Redundancy with Existing Regulations<\/a><\/li>\r\n<li><a href=\"#data-preservation-requirements\">Data Preservation Requirements<\/a><\/li>\r\n<li><a href=\"#security-risks-of-reporting\">Security Risks of Reporting<\/a><\/li>\r\n<\/ul>\r\n<\/li>\r\n<li><a href=\"#specific-concerns-of-healthcare-organizations\">Specific Concerns of Healthcare Organizations<\/a>\r\n<ul>\r\n<li><a href=\"#american-hospital-association-aha\">American Hospital Association (AHA)<\/a><\/li>\r\n<li><a href=\"#college-of-healthcare-information-management-executives-chime\">College of Healthcare Information Management Executives (CHIME)<\/a><\/li>\r\n<li><a href=\"#medical-group-management-association-mgma\">Medical Group Management Association (MGMA)<\/a><\/li>\r\n<li><a href=\"#american-medical-association-ama\">American Medical Association (AMA)<\/a><\/li>\r\n<li><a href=\"#americas-health-insurance-plans-ahip\">America&#8217;s Health Insurance Plans (AHIP)<\/a><\/li>\r\n<\/ul>\r\n<\/li>\r\n<li><a href=\"#recommendations-for-improvement\">Recommendations for Improvement<\/a><\/li>\r\n<li><a href=\"#conclusion\">Conclusion<\/a><\/li>\r\n<li><a href=\"#fa-qs\">FAQs<\/a>\r\n<ul>\r\n<li><a href=\"#1-what-is-cis-as-proposed-cyber-incident-reporting-rule\">1. What is CISA&#8217;s proposed cyber incident reporting rule?<\/a><\/li>\r\n<li><a href=\"#2-why-is-the-healthcare-industry-against-the-proposed-rule\">2. Why is the healthcare industry against the proposed rule?<\/a><\/li>\r\n<li><a href=\"#3-what-are-the-main-concerns-of-the-healthcare-industry\">3. What are the main concerns of the Healthcare Industry?<\/a><\/li>\r\n<li><a href=\"#4-what-improvements-do-the-healthcare-industry-suggest\">4. What improvements do the Healthcare Industry suggest?<\/a><\/li>\r\n<li><a href=\"#5-how-can-cisa-address-these-concerns\">5. How can CISA address these concerns?<\/a><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<\/nav><\/div>\r\n\r\n\r\n\r\n<h2 id=\"introduction-healthcare-industry\" class=\"wp-block-heading\">Introduction: Healthcare Industry<\/h2>\r\n\r\n\r\n\r\n<p>The <a href=\"https:\/\/www.axios.com\/2024\/07\/08\/health-care-cyberattack-cybersecurity-cisa-pushback\" target=\"_blank\" rel=\"noopener\">healthcare industry<\/a> is voicing strong objections to the Cybersecurity and Infrastructure Security Agency&#8217;s (CISA) proposed cyber incident reporting rule. The proposed rule, part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), aims to enhance the speed and scope of cyber incident reporting for entities considered critical infrastructure. However, healthcare organizations argue that the proposal is both redundant and burdensome.<\/p>\r\n\r\n\r\n\r\n<h2 id=\"overview-of-cis-as-proposed-cyber-incident-reporting-rule\" class=\"wp-block-heading\">Overview of CISA&#8217;s Proposed Cyber Incident Reporting Rule<\/h2>\r\n\r\n\r\n\r\n<p>In early April, CISA unveiled a proposed rule designed to implement CIRCIA. The rule mandates faster and more detailed reporting of cyber incidents to improve the government&#8217;s ability to identify threats, spot adversary campaigns earlier, and coordinate responses with public and private partners. The rule specifically targets hospitals with over 100 beds, critical access hospitals, manufacturers of essential medicines, high-risk medical device makers, and various IT entities within the healthcare sector.<\/p>\r\n\r\n\r\n\r\n<h2 id=\"healthcare-industrys-concerns\" class=\"wp-block-heading\">Healthcare Industry&#8217;s Concerns<\/h2>\r\n\r\n\r\n\r\n<h3 id=\"burden-on-healthcare-organizations\" class=\"wp-block-heading\">Burden on Healthcare Organizations<\/h3>\r\n\r\n\r\n\r\n<p>Healthcare groups, including the American Hospital Association (AHA), argue that the proposed reporting timelines would strain resources at a critical time. The 72-hour incident reporting requirement is deemed unrealistic as it would divert the focus of cybersecurity, IT, legal, compliance, and leadership teams from ensuring clinical and operational continuity during an attack.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"redundancy-with-existing-regulations\" class=\"wp-block-heading\">Redundancy with Existing Regulations<\/h3>\r\n\r\n\r\n\r\n<p>The healthcare sector is already subject to extensive cyber incident reporting requirements under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Organizations like the College of Healthcare Information Management Executives (CHIME) and the Medical Group Management Association (MGMA) have called for the harmonization of CISA&#8217;s rules with existing regulations to eliminate redundancy.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"data-preservation-requirements\" class=\"wp-block-heading\">Data Preservation Requirements<\/h3>\r\n\r\n\r\n\r\n<p>The proposed rule also requires organizations to preserve a large volume of data logs, forensics, and communications for two years following an incident. The AHA highlights the significant data storage capacity and additional staffing that this requirement would necessitate, imposing a substantial burden on healthcare providers.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"security-risks-of-reporting\" class=\"wp-block-heading\">Security Risks of Reporting<\/h3>\r\n\r\n\r\n\r\n<p>There is also concern about the security of the information submitted to CISA. Healthcare groups worry that detailed outlines of their cyber defenses could become targets for cybercriminals. Past breaches of CISA&#8217;s systems heighten these concerns, as noted by the AHA and CHIME.<\/p>\r\n\r\n\r\n\r\n<h2 id=\"specific-concerns-of-healthcare-organizations\" class=\"wp-block-heading\">Specific Concerns of Healthcare Organizations<\/h2>\r\n\r\n\r\n\r\n<h3 id=\"american-hospital-association-aha\" class=\"wp-block-heading\">American Hospital Association (AHA)<\/h3>\r\n\r\n\r\n\r\n<p>The AHA argues that the <a href=\"https:\/\/www.aha.org\/lettercomment\/2024-07-02-aha-responds-cisa-proposed-rule-cyber-incident-reporting-requirements\" target=\"_blank\" rel=\"noopener\">72-hour reporting<\/a> requirement is unreasonable and distracts from essential cybersecurity efforts during an attack. They also highlight the potential financial and staffing burdens posed by the data preservation mandate.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"college-of-healthcare-information-management-executives-chime\" class=\"wp-block-heading\">College of Healthcare Information Management Executives (CHIME)<\/h3>\r\n\r\n\r\n\r\n<p>CHIME members express concern about sharing detailed cyber defenses with CISA, fearing that this information could become a high-value target for cybercriminals. They also emphasize the need for clear inclusion criteria to avoid ambiguity about which entities are covered by the rule.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"medical-group-management-association-mgma\" class=\"wp-block-heading\">Medical Group Management Association (MGMA)<\/h3>\r\n\r\n\r\n\r\n<p>MGMA notes that group medical practices, while not specifically named, would often fall under the proposed rule&#8217;s enforcement based on size standards. They advocate for raising the threshold for reporting requirements to avoid undue burdens on smaller practices.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"american-medical-association-ama\" class=\"wp-block-heading\">American Medical Association (AMA)<\/h3>\r\n\r\n\r\n\r\n<p>The AMA underscores the interconnectedness of the healthcare sector, using the attack on Change Healthcare as an example of how a single vendor&#8217;s breach can impact numerous organizations. They call for explicit inclusion criteria to ensure comprehensive coverage of all relevant entities.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"americas-health-insurance-plans-ahip\" class=\"wp-block-heading\">America&#8217;s Health Insurance Plans (AHIP)<\/h3>\r\n\r\n\r\n\r\n<p>AHIP calls for simplified and uniform reporting requirements and clearer definitions of what constitutes a &#8220;covered cyber incident.&#8221; They also recommend that third-party vendors act as the primary reporting entity on behalf of their provider and insurer customers to reduce duplicative reporting.<\/p>\r\n\r\n\r\n\r\n<h2 id=\"recommendations-for-improvement\" class=\"wp-block-heading\">Recommendations for Improvement<\/h2>\r\n\r\n\r\n\r\n<p>Healthcare Industry suggests several improvements to the proposed rule:<\/p>\r\n\r\n\r\n\r\n<p>1. Simplify and reduce the reporting burden to focus on critical incidents.<\/p>\r\n\r\n\r\n\r\n<p>2. Harmonize CISA&#8217;s requirements with existing HIPAA and HITECH regulations to avoid redundancy.<\/p>\r\n\r\n\r\n\r\n<p>3. Increase the threshold for reporting requirements to exclude smaller entities.<\/p>\r\n\r\n\r\n\r\n<p>4. Ensure that detailed cyber defense reports are secure and not susceptible to breaches.<\/p>\r\n\r\n\r\n\r\n<p>5. Include explicit criteria for health insurers, health IT vendors, and other third parties.<\/p>\r\n\r\n\r\n\r\n<h2 id=\"conclusion\" class=\"wp-block-heading\">Conclusion<\/h2>\r\n\r\n\r\n\r\n<p>While the goal of improving cyber incident reporting is commendable, CISA&#8217;s proposed rule places significant burdens on the healthcare industry. By addressing the concerns and recommendations of healthcare organizations, CISA can develop a more effective and practical reporting framework that enhances cybersecurity without overburdening critical healthcare providers.<\/p>\r\n\r\n\r\n\r\n<p><span class=\"ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\">Discover the latest <a class=\"fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn\" title=\"https:\/\/distilinfo.com\/healthplan\/\" href=\"https:\/\/distilinfo.com\/healthplan\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Link payers&#039; news updates\"><strong>payers&#8217; news updates<\/strong><\/a> with a single click. Follow <a class=\"fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn\" title=\"https:\/\/distilinfo.com\/healthplan\/\" href=\"https:\/\/distilinfo.com\/healthplan\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Link DistilINFO HealthPlan\">DistilINFO HealthPlan<\/a> and stay ahead with updates. Join our community today!<\/span><\/p>\r\n\r\n\r\n\r\n<h2 id=\"fa-qs\" class=\"wp-block-heading\">FAQs<\/h2>\r\n\r\n\r\n\r\n<h3 id=\"1-what-is-cis-as-proposed-cyber-incident-reporting-rule\" class=\"wp-block-heading\">1. What is CISA&#8217;s proposed cyber incident reporting rule?<\/h3>\r\n\r\n\r\n\r\n<p>A. CISA&#8217;s proposed rule requires faster and more detailed reporting of cyber incidents by entities considered critical infrastructure, including healthcare providers.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"2-why-is-the-healthcare-industry-against-the-proposed-rule\" class=\"wp-block-heading\">2. Why is the healthcare industry against the proposed rule?<\/h3>\r\n\r\n\r\n\r\n<p>A. Healthcare Industry argues that the rule is redundant with existing regulations, imposes significant burdens, and poses security risks.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"3-what-are-the-main-concerns-of-the-healthcare-industry\" class=\"wp-block-heading\">3. What are the main concerns of the Healthcare Industry?<\/h3>\r\n\r\n\r\n\r\n<p>A. Concerns include the 72-hour reporting requirement, data preservation mandates, security risks of reporting, and the lack of clear inclusion criteria.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"4-what-improvements-do-the-healthcare-industry-suggest\" class=\"wp-block-heading\">4. What improvements do the Healthcare Industry suggest?<\/h3>\r\n\r\n\r\n\r\n<p>A. They recommend simplifying the reporting burden, harmonizing requirements with existing regulations, increasing reporting thresholds and ensuring the security of detailed reports.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"5-how-can-cisa-address-these-concerns\" class=\"wp-block-heading\">5. How can CISA address these concerns?<\/h3>\r\n\r\n\r\n\r\n<p>A. By streamlining reporting requirements, harmonizing with existing rules, and clarifying inclusion criteria, CISA can create a more practical and effective framework for cyber incident reporting.<\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>Introduction: Healthcare Industry The healthcare industry is voicing strong objections to the Cybersecurity and Infrastructure Security Agency&#8217;s (CISA) proposed cyber&#8230; <a href=\"https:\/\/distilinfo.com\/healthplan\/healthcare-industry-efficient-cyber\/\" style=\"white-space: nowrap;\">Continue Reading <i class=\"fas fa-long-arrow-alt-right\" style=\"vertical-align: middle;\"><\/i><\/a><\/p>\n","protected":false},"author":1,"featured_media":12341,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[401,311],"class_list":{"0":"post-12340","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-distilinfo-originals","8":"tag-cyber-reporting-solutions","9":"tag-healthcare-industry","10":"entry"},"_links":{"self":[{"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/posts\/12340"}],"collection":[{"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/comments?post=12340"}],"version-history":[{"count":4,"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/posts\/12340\/revisions"}],"predecessor-version":[{"id":12349,"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/posts\/12340\/revisions\/12349"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/media\/12341"}],"wp:attachment":[{"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/media?parent=12340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/categories?post=12340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/distilinfo.com\/healthplan\/wp-json\/wp\/v2\/tags?post=12340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}