AHA calls for clarity in CISA's proposed cyber incident rules

The American Hospital Association (AHA) has issued a response to the Cybersecurity and Infrastructure Security Agency (CISA) proposed rule, expressing concerns over the impact of new cyber incident reporting requirements.

What happened

Following several high-profile cyber attacks targeting healthcare organizations, President Biden approved the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022. 

Among its provisions, CIRCIA mandated that the Cybersecurity and Infrastructure Security Agency (CISA) develop regulations for reporting cyber incidents and ransomware payments directly to CISA.

While the reported information will aid cyberattack victims, spot trends, and alert potential targets, the AHA has released detailed comments on CISA's proposed regulations, stating their concerns and urging the agency to modify the reporting process.

More specifically, they suggest a streamlined reporting process that does not overly burden healthcare operational demands and patient care priorities.

Furthermore, they advocate for clear definitions of incident severity and exemption criteria that reflect the operational realities of healthcare organizations to enhance cybersecurity and patient care.

What was said

According to the AHA, “The reporting proposed by CISA is redundant to what is required by other federal agencies, adding unnecessary burden to what the hospital must do at the same time that it is working to ensure patients are getting the care they need despite the crippling of vital electronic systems.”

In addition, the AHA urges CISA to consider the operational realities of healthcare providers stating, "These regulations must strike a balance between cybersecurity preparedness and operational continuity in healthcare settings."

AHA’s recommendations

• Unified reporting processes across federal and state agencies through a single, web-based report.
• Ensuring anonymity for reporting entities, prohibiting federal agencies from sharing report information to prevent premature investigations or penalties before establishing responsibility.
• Collaborating with sector representatives to clearly quantify event impacts so organizations can promptly mitigate the impact of an attack.
• Clarifying the language of the proposed rule and including real-world scenarios, like changing the ambiguous definition of ‘substantial cyber incident’ and relating it to operational realities or complex interconnectedness of the field.
• Establishing quantifiable criteria for incident impacts that do not penalize proactive incident response measures.
• Simplified reporting criteria across the health sector to alleviate stress on hospitals and advocates for broader exemption criteria, especially for hospitals with fewer than 100 beds and critical access hospitals (CAHs).
• Including all healthcare entities, regardless of size, in incident reporting considerations.
• Recognizing attacks on hospitals and health systems as life-threatening, so involving critical devices and third-party systems are needed for patient care and operations. 
• Addressing the broader impacts of ransomware attacks, like the Change Healthcare incident, which caused severe operational and financial disruptions beyond data breaches.
• Limiting file and data retention to one year, cap file sizes, and provide government-funded or no-cost storage options when limits are exceeded.
• Revising reporting requirements to exclude sensitive information about hospital and health system technical architecture and cybersecurity defenses.
• Encouraging collaboration instead of imposing additional penalties on hospitals and health systems that respond to cyberattacks.

Why it matters

The AHA's response reflects broader concerns within the healthcare industry regarding the impact of regulatory changes on cybersecurity practices and patient care. It calls for collaborative efforts to enhance sector-wide cybersecurity and ensure regulatory compliance.

The bottom line

Healthcare providers must prepare for potential changes in cyber incident reporting requirements under CISA's proposed rule to ensure compliance and mitigate operational disruptions effectively.