Banner

News

Article

Feds, health care groups ponder next round of cybersecurity rules

Health care organizations comment on proposed rules established through legislation of 2022.

© Cybersecurity & Infrastructure Security Agency

© Cybersecurity & Infrastructure Security Agency

Federal regulators need to continue refining new rules for tracking cyberattacks in health care and across other critical industries.

Health care businesses and trade groups were among entities that proffered at least 289 document comments on the notice of proposed rulemaking (NPRM) for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Congress passed the bipartisan legislation and President Joe Biden signed it into law in March 2022. This year, the Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security opened a public comment period on the proposed rule.

CISA published an information sheet about the general requirements of the rule. Among them:

  • Covered entities, such as those in health care, but report cyber incidents within 72 hours from the time they occur.
  • CISA and other federal agencies must trade information about cyberattacks within 24 hours of reporting.
  • Victims of ransomware cyberattacks must report ransom payments to CISA within 24 hours.
  • CISA will establish a pilot program to identify systems vulnerable to ransomware and notify the owners.

The updated cybersecurity reporting won’t happen for free. CISA’s estimate spanned 11 years from 2023 to 2033, with 316,244 entities potentially affected, collectively generating 210,525 reports that could cost up to $2.6 billion, or $1.4 billion for industry and $1.2 billion for the federal government, or a total of approximately $244.6 million a year, according to figures published by CISA in the Federal Register.

CISA was to open the public comment period within two years of passage of the law. The proposed rules don’t go into effect immediately; once the notice goes out, CISA has 18 months to finalized the requirements.

Health care reactions

The health care organizations that commented generally agreed on the importance of cybersecurity and of good intentions and increased attention of Congress and the White House, according to the comments published in the online version of the Federal Register. But there are ambiguities about who will be covered by the new rules, and exactly how the rules would be implemented.

“While we appreciate CISA’s work on this issue and the opportunity to offer feedback, we have considerable concerns about instituting burdensome, confusing, and duplicative reporting requirements that may impact medical groups’ ability operate effectively, especially in the midst of a significant cyber incident,” said the written comment from Medical Group Management Association (MGMA) Senior Vice President of Government Affairs Anders Gilberg.

Medical groups already have various cybersecurity reporting requirements to the U.S. Department of Health and Human Services. The federal regulators should collaborate to ease the burden of reporting the same incident multiple times in multiple formats, Gilberg said.

CISA should harmonize the reporting with the breach notification requirements of the Health Insurance Portability and Accountability Act, said Danielle A. Lloyd, senior vice president for private market innovations and quality initiatives for AHIP, the national association for health insurance providers.

Different standards

The new rule proposes coverage of businesses based on criteria of the U.S. Small Business Administration Size Standards. That could affect physicians’ offices with receipts ranging from $9 million to $16 million. But small medical groups “are already dealing with a litany of issues trying to keep their doors open — cuts to Medicare reimbursement, staffing shortages, rising costs, and more,” Gilberg said.

The size thresholds will create gaps in continuity across reporting substantial cyber incidents, said Brian Vamstad, PhD, director of regulatory affairs for Duluth, Minnesota-based Essential Health. For example, Essential Health potentially would have some entities not required to report cyberattacks, creating different standards for the same health system, he said.

The criteria also do not make clear if a third-party administrator or a pharmacy benefit manager of a health plan would be considered a “health plan or payer” and if cyberattacks would be reportable, said Tina O. Grande, president of the Healthcare Trust Institute.

Reporting deadlines

Timing also could be an issued for health care entities. The 72-hour rule “should not prioritized over patient safety,” and sometimes law enforcement requests a delay in reporting an incident, said Thomas M. Leary, MA, CAE, FHIMSS, senior vice president and head of government relations for the Healthcare Information and Management Systems Society (HIMSS). The society also asked for clarity on the definition of “significant” or “substantial” disruptions to health care operations.

That deadline, and the 24-hour window to report ransomware payments, would affect hospitals. They need more flexibility to balance patient care with necessity of reporting, so a streamlined and phased reporting process would be better, said Bruce Siegel, MD, MPH, president and CEO of America’s Essential Hospitals.

Ambiguous definition

American Hospital Association (AHA) Senior Vice President for Public Policy Ashley Thompson said the definition of a “substantial cyber incident” is ambiguous. While CISA attempted to exempt some hospitals from additional reporting requirements, AHA estimated fewer than 60 hospitals would benefit.

“A better way to reduce reporting burdens on overstressed hospitals is to simplify the reporting criteria such that all health sector entities can easily report incidents. If the reporting requirements cannot be sufficiently simplified so as not to burden any entity in the sector, then CISA should broaden the exemption criteria so that any hospitals below 100 beds, including all CAHs (critical access hospitals), would be exempt from these incident reporting requirements,” Thompson said.

Financial penalties?

The rule does not suggest fines or other financial penalties for violating CIRCIA requirements. But CISA could petition a court to hold a covered health care entity in contempt, said Scott D. Dresen, senior vice president for information security and chief security officer of Corewell Health, the largest employer in Michigan.

Corewell supports cybersecurity rules. “However, penalizing victims of cyberattack, when defensive measures cannot keep up with the sophistication of hackers, is not the fair approach,” Dresen said.

Related Videos
Dermasensor
Emma Schuering: ©Polsinelli
Emma Schuering: ©Polsinelli