A proposed rule that would require the nation’s most critical industries to more quickly report cyberattacks is raising the ire of the health care industry, which claims the new directives could actually hinder its response in a crisis.
Why it matters: Cyberattacks have sent shockwaves across the health care industry, but regulators and providers don’t agree on how to get a handle on the problem.
Driving the news: The comment period for new rules surrounding cyberattacks, which closed last Wednesday, illustrates that division.
- The Cyber Incident Reporting for Critical Infrastructure Act of 2022 called for companies and organizations to report cyberattacks within 72 hours and ransoms paid within 24 hours.
- In rules proposed in April to implement the act, the Cybersecurity and Infrastructure Security Agency (CISA) laid out which entities would be subject to reporting a cyberattack, defined what a “substantial” incident is and specified reporting requirements.
- It also included enforcement mechanisms if entities don’t comply.
CISA says the agency isn’t learning about many cyberattacks in a timely way, making it difficult to not only quickly help victims but also spot trends and warn other companies about known vulnerabilities.
- The mandated reporting is “not so we can hold people accountable, but so we can use that information for the benefit of the overall cybersecurity ecosystem,” said Brandon Wales, CISA’s executive director, in an online video.
- But health systems and physician practices have since said in submitted comments that the proposal places overly onerous responsibilities on health care organizations and called for more flexibility.
What they’re saying: The proposal would require “a description of the covered entity’s security defenses” defining their entire security architecture, the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security stated in a letter to CISA’s director.
- That’s not only a tremendous amount of information to provide, but also a dangerous treasure trove if obtained by bad actors, they wrote.
- The American Hospital Association called CISA’s definition of “substantial cyber incident” ambiguous, saying it could result in both excessive disclosures of cybersecurity incidents and the underreporting of potentially significant events.
- The American Hospital Association called on the agency to make the reporting process more flexible. Hospitals could communicate vital information to the feds “without diverting crucial staff and resources away from containing the attack,” they wrote to CISA.
Between the lines: Organizations also raised concerns that reporting requirements did not appear to be harmonized across government agencies, with worries that a CIRCIA report might trigger the need for a breach report under HIPAA, the Medical Group Management Association wrote to the agency.
- It is also unclear what organization is responsible for CIRCIA reporting and whether when a third-party service provider has a substantial incident — as happened with Change Healthcare — it would be subject to the CIRCIA reporting instead.
Worth noting: Groups also raised particular concerns about a proposed enforcement mechanism included in the proposal to penalize organizations that don’t comply with the law in a timely fashion.
- “They’re victims of a cyberattack,” Chelsea Arnone, director of federal affairs for CHIME told Axios.
- “The most well-resourced hospitals and health systems can spend all the money in the world, but they are facing a constant threat from people that have nothing but time and want to inflict damage,” she said.
What to watch: It’s not clear how the reversal of the “Chevron deference” doctrine will impact this rule-making process.
- The doctrine previously gave executive branch agencies discretion to interpret unclear laws or ones subject to more than one interpretation.
What’s next: CISA will have 18 months to issue a final rule, taking into account not just comments from the health care industry but other sectors that would be impacted by the rules.