Healthcare Industry Groups Labels  CISA’s Cyber Incident Reporting 'Redundant'

The proposed rule, published in April, aims to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Healthcare industry groups in the US have strongly criticized the Cybersecurity and Infrastructure Security Agency’s (CISA) recent proposal on cybersecurity incident reporting, calling it redundant and burdensome.

The proposed rule, published in April, aims to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

The proposed rule outlines enhanced reporting requirements to help the government “better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” CISA Director Jen Easterly stated.

CISA highlighted the relevance of these changes for the healthcare sector, which frequently faces cyber incidents.

Under the proposal, hospitals with 100 or more beds, critical access hospitals, manufacturers of certain essential medicines, moderate-to-high-risk medical device makers, and various IT entities would be covered.

Health insurers, lab operators, and health IT providers, while not explicitly included, would be subject to the requirements based on their size or existing breach reporting obligations under HIPAA and HITECH Act rules.

However, the American Hospital Association (AHA) and other healthcare groups argue that the proposed timeline would divert crucial resources. “The proposed [cyber incident reporting] timeline will distract the hospital or health system’s cybersecurity, IT, legal, compliance, and leadership teams at a time when their effort and attention need to be laser-focused on ensuring clinical and operational continuance. All this makes the 72-hour incident reporting requirements unreasonable,” the AHA added.

Other industry groups, such as the College of Healthcare Information Management Executives (CHIME) and the Medical Group Management Association (MGMA), echoed these concerns, highlighting the redundancy with existing Health and Human Services incident reporting regulations.

They urged the government to streamline its requirements by eliminating overlap among different agencies.

According to the industry group, entities affected by cyberattacks must also preserve extensive data logs, forensics, and communications for two years. The AHA described this as a “shockingly large amount of data,” requiring substantial storage capacity and additional staff.

Additionally, the requirement for entities to submit detailed outlines of their cyber defenses to CISA has raised alarms. CHIME noted that such reports could become prime targets for cybercriminals, and the AHA pointed out that CISA itself has experienced system breaches that could jeopardize reporting entities.

Ambiguous Inclusion Criteria

A significant point of contention is how CISA determines which entities are covered. The MGMA noted that group medical practices, though not explicitly mentioned, could be included based on the US small business administration’s small business size standard. This could place a heavy burden on practices already facing financial and staffing challenges.

“Should the agency not significantly simplify and reduce reporting burden, we urge CISA to substantially increase the threshold to physician practices from the currently proposed SBA threshold, as this would more accurately capture medical groups that are more likely to incorporate these proposed requirements in a way that would not disrupt operations and potentially leave them open to government sanctions,” the MGMA wrote.

For hospitals, the AHA estimates that “less than 60 hospitals” nationwide would be exempt based on their size and status.

While acknowledging efforts to reduce burdens on smaller hospitals, the AHA recommended simplifying the reporting burden or excluding critical access hospitals altogether.

Third-Party Concerns

Industry groups also questioned CISA’s decision not to define specific inclusion criteria for health insurers, health IT vendors, and other related third parties. These entities are integral to patient care and hospital operations, and their exclusion could create gaps in the reporting framework.

The American Medical Association highlighted the attack on Change Healthcare as evidence of the healthcare sector's interconnectedness and the system's fragility when a key vendor is compromised.

CHIME also cautioned that excluding certain third parties could lead them to “simply self-assess that they do not meet the proposed size-based criteria and are not subject to CIRCIA.”

The AHA criticized CISA’s assumption that most IT entities are covered by existing data breach notification requirements. “There are hundreds of devices and third-party technology systems operating in the health sector that are critical to patient care and hospital operations that do not handle or otherwise touch patient data,” the AHA noted.

Further, health insurers, represented by AHIP, called for simplified and uniform reporting requirements and clearer definitions of what constitutes a “covered cyber incident.”

Additionally, AHIP suggested that third-party vendors should be the primary reporting entities for their provider and insurer customers to reduce duplicative reporting.

“This will ensure reporting is done by the primary source under attack on behalf of their impacted customers, reducing duplicative reporting by all customers when a vendor experiences a covered cyber incident,” AHIP wrote.