Healthcare industry groups are urging the federal government to streamline and loosen a recent proposed rule outlining cybersecurity incident reporting requirements for entities considered to be critical infrastructure.
Published in early April, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) proposed rule aims to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
The proposal’s enhanced and speedier reporting requirements aim to help the government “better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” CISA Director Jen Easterly said in a statement upon the proposed rule’s unveiling.
CISA also noted that the changes would be timely for the healthcare sector, which “routinely” faces cyber incidents.
The agency specifies that its proposed rule would cover hospitals with 100 or more beds, critical access hospitals, the manufacturers of certain “essential” medicines, moderate-to-high-risk medical device makers and a broad swath of IT entities.
Health insurers, lab operators and health IT providers don’t have specific inclusion criteria, though CISA said it expects these entities would already be subject under general requirements that based on an entity’s size, or, in the case of health IT providers, already have breach reporting requirements under HIPAA and HITECH Act rules.
The proposal landed with a thud for provider and health tech groups, who had plenty to say about the strain additional reporting would place on organizations already reeling from a cyberattack.
“The proposed [cyber incident reporting] timeline will distract the hospital or health system’s cyber security, IT, legal, compliance and leadership teams at a time when their effort and attention need to be laser-focused on ensuring clinical and operational continuance,” the American Hospital Association (AHA) wrote in public comments submitted last week. “All this makes the 72-hour incident reporting requirements unreasonable.”
Other industry groups like the College of Healthcare Information Management Executives (CHIME) and the Medical Group Management Association (MGMA) noted that the requirements come amid Health and Human Services’ other incident reporting regulations. They called on the government to “harmonize” its requirements by cutting out redundancies across the different agencies’ requirements.
Further, entities hit by a cyberattack would also be required to preserve a slew of data logs, forensics and communications for two years following the incident. This “shockingly large amount of data … would require significant data storage capacity and necessitate hiring additional staff” in order to comply, AHA added.
Another panned requirement tasks entities with detailing and delivering an outline of their cyber defenses to the agency. CHIME wrote in comments that its members “are extremely concerned” that such a correspondence would become a high-value target for the criminals CISA is seeking to thwart, with AHA pointing out that CISA itself has been the victim of a systems breach that could subsequently harm the reporting entities.
Just about all of the groups shared concerns over how CISA plans to determine what entities are or are not covered.
Group medical practices, MGMA noted, were not specifically named under the section outlining criteria for covered healthcare entities, but would often fall under enforcement based on the umbrella conditions that refer to the U.S. Small Business Administration’s small business size standard ($16 million annual receipts for physician offices, but “as little as $9 million” for certain specialists). Groups of that size are facing many of the same financial and staffing strains as those smaller, MGMA wrote, and would be heavily burdened by the requirements.
“Should the agency not significantly simplify and reduce reporting burden, we urge CISA to substantially increase the threshold to physician practices from the currently proposed SBA threshold, as this would more accurately capture medical groups that are more likely to incorporate these proposed requirements in a way that would not disrepute operations and potentially leave them open to government sanctions,” MGMA wrote.
For hospitals, AHA wrote that it expects “less than 60 hospitals” across the country would be exempt from the requirements based on their size and status. Though the group said it appreciated the effort to relieve reporting burdens on these smaller hospitals, it recommended CISA either greatly simplify the reporting burden or ditch its inclusion of critical access hospitals to achieve its goal.
More broadly, industry groups questioned CISA’s decision to not define specific inclusion criteria for health insurers, health IT vendors and other related third parties. These groups are deeply intertwined with those that directly provide care, they wrote, and deserve an explicit callout.
Here, the American Medical Association pointed to the attack on Change Healthcare as evidence of “extreme interconnectedness within our critical sector, a significant dependency on one vendor, and the fragility of the system when that vendor suffers an attack and is nonfunctional.”
CHIME cautioned that excluding insurers, clearinghouses like Change Healthcare and other third-party administrators of health plans could lead some of these entities to “simply self-assess that they do not meet the proposed size-based criteria, and are not subject to CIRCIA.”
AHA took issue with CISA’s assumption that most IT entities would be captured by existing data breach notification requirements, writing that “there are hundreds of devices and third-party technology systems operating in the health sector that are critical to patient care and hospital operations that do not handle or otherwise touch patient data."
In its comment letter on the proposed rule, AHIP, which represents health insurers, echoed many of the calls for simplified and unform reporting requirements, as well as a clearer definition of what entails a “covered cyber incident.”
Without pointing a finger at its own membership, AHIP similarly acknowledged CISA’s “narrow” applicability criteria and warned that “certain third parties, including health IT providers and other vendors that act as business associates under HIPAA,” could be missed. The group called for these third-party vendors to not only be included, but to act as the primary reporting entity on behalf of their provider and insurer customers.
“This … will ensure reporting is done by the primary source under attack on behalf of their impacted customers, reducing duplicative reporting by all customers when a vendor experiences a covered cyber incident,” AHIP wrote.