Dive Brief:
- Healthcare and hospital groups say a federal cybersecurity reporting proposal should explicitly include insurers and third-party vendors, citing the impact of the major cyberattack against medical claims clearinghouse Change Healthcare.
- The proposed rule, released by the Cybersecurity and Infrastructure Security Agency this spring, would require companies broadly in critical infrastructure industries to report cyber incidents within 72 hours of discovery and document ransom payments within 24 hours.
- CISA decided not to include sector-specific reporting criteria for insurance companies, health IT providers and labs or diagnostics facilities. But the American Hospital Association argued the exclusion doesn’t make sense, as disruption to a single company could ripple across the entire industry.
Dive Insight:
The long-awaited rulemaking from CISA aims to help the federal government rapidly deploy resources to assist critical infrastructure providers and collect information on cyberattacks. More than 316,000 entities could be covered under the rule, according to agency estimates.
In the proposed rule, CISA said it wasn’t necessary to include sector-specific criteria for insurers or labs, as a sufficient number of these companies would be captured under the size-based criteria that applies across all critical infrastructure sectors.
The agency said the most common cyber incident facing health IT developers are data breaches, which aren’t the main focus of the rulemaking. They’re also required to report breaches under healthcare-specific regulations.
But industry groups — including the AHA, the American Medical Association and the College of Healthcare Information Management Executives — noted in comments on the rule that the sector is deeply interconnected, and an attack at a third party could do serious damage across the industry.
CHIME said it’s unclear whether UnitedHealth subsidiary Change, a technology firm and large medical claims processor hit with a major cyberattack earlier this year, would have been required to report under the rule if it had been in effect. It might not have met the size-based reporting criteria, and the firm isn’t included under healthcare sector-specific criteria, the group said.
“Crucially, there are many third-parties in the healthcare ecosystem that our members contract with who would not be considered ‘covered entities’ under this proposal, and therefore, would not be obligated to share or disclose that there had been a substantial cyber incident – or any cyber incident at all,” Russell Branzell, CHIME president and CEO, wrote in a comment.
Some groups also said the timelines for reporting cyber incidents could be challenging. CHIME noted HIPAA reporting obligations could be triggered when they make a report under the proposed cyber rule, adding significant burden on providers. Different regulations could also create potential duplicate reports, they said.
America’s Essential Hospitals, which represents safety-net hospitals, argued they needed flexibility when reporting cyber incidents. Strict 24- and 72-hour deadlines could divert resources from patient care during a crisis.
They also requested financial support, saying limited cybersecurity budgets and insufficient staffing are particularly challenging for under-resourced hospitals.
“Alleviating these burdens by providing technical assistance, in addition to a simple extended and phased reporting process, would allow essential hospitals to better allocate their limited resources, ensuring that critical incidents are effectively managed without compromising patient care or financial stability,” Bruce Siegel, president and CEO of America’s Essential Hospitals, said in a comment.