Stakeholders Suggest Changes to CISA’s Cybersecurity Reporting Rule
Stakeholders in healthcare are proposing changes to the Cybersecurity and Infrastructure Security Agency’s proposed rule on cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
CISA proposes to institute reporting requirements for significant cyber events for critical infrastructure sectors including healthcare.
The Medical Group Management Association expressed concerns about "burdensome, confusing, and duplicative reporting requirements that may impact medical groups’ ability operate effectively, especially in the midst of a significant cyberattack.”
Noting that medical groups are already subject to various reporting requirements under HIPAA, MGMA suggests that instead of implementing the duplicative reporting requirements in the proposed rule, CISA should work closely with HHS to avoid layering complex requirements on one another. “While there are different timeframes for the HIPAA Breach Notification Rule, the agencies should work together to seamlessly incorporate data that will already be reported to not only promote collaboration but ease the burden of reporting on the same incident multiple times in multiple different formats,” the association’s letter stated.
CISA proposes to include a size-based threshold to determine what entities are responsible for the cyber reporting requirements. MGMA said that while it appreciates efforts to avoid instituting reporting requirements for small medical groups, it nevertheless harbors concerns that using the current SBA small-business standard will still unduly impact smaller physician offices reporting revenue of as low as $9 million per year.
The proposed rule estimates that the cost of compliance to the industry will be $1.4 billion. The Biden Administration included $500 million in its proposed 2025 budget for hospitals to bolster cyber defenses. MGMA said that medical groups need a similar infusion to not only combat sophisticated attacks from bad actors, but also to ensure the right infrastructure, staffing, and procedures are implemented to comply with additional reporting requirements proposed by CISA.
Finally, to avoid instituting unnecessary financial costs for medical groups, MGMA said CISA should shorten the timeframe required for covered entities to retain data and streamline the required information.
Like MGMA, the multi-stakeholder Workgroup for Electronic Data Interchange (WEDI) urged CISA to align its reporting timelines and requirements with other federal partners, including HHS/Office for Civil Rights, to decrease the administrative burden faced by covered entities potentially required to submit incident reports to multiple agencies. Entities covered under both HIPAA and CIRCIA should only be required to report once, through OCR, to be compliant under both rules, per CIRCIA’s substantially similar reporting exception, WEDI said.
WEDI claims that for many victims of these types of attacks it could take more than 72 hours to fully identify all the data elements required for the initial report. Its recommendation is that CISA add flexibility to this requirement, permitting covered entities to submit an initial report to the best of their ability within 72 hours while allowing updates to be submitted as more information and analysis become available.
WEDI also recommends that the federal government institute a policy to establish that ransomware is not considered a data breach when the covered entity has deployed a recognized security program and when no PHI has been accessed. Should no breach of the data occur that results in data being accessed by unauthorized entities and the covered entity is found to have a made good faith effort to deploy a recognized security program and instituted security policies and procedures, the covered entity should not be deemed to have experienced a data breach, WEDI said.
