Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements
In April, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rulemaking (NPRM) introducing new requirements for critical infrastructure entities to report certain cybersecurity incidents. CISA sought comment from the public, and several healthcare stakeholders have provided feedback on the proposed rule.
Background
The proposed rule requires critical infrastructure entities to report cybersecurity incidents to CISA within 72 hours of detecting a cybersecurity incident and within 24 hours of making a ransomware payment. The types of covered incidents include:
- Unauthorized system access
- Denial of Service (DOS) attacks with a duration of more than 12 hours
- Malicious code on systems, including variants if known
- Targeted and repeated scans against services on systems
- Repeated attempts to gain unauthorized access to systems
- Email or mobile messages associated with phishing attempts or successes
- Ransomware attacks against critical infrastructure, including the variant and ransom details if known
The types of information that must be submitted to CISA include:
- Incident date and time
- Incident location
- Type of observed activity
- Detailed narrative of the event
- Number of people or systems affected
- Company/Organization name
- Point of Contact details
- Severity of event
- Critical infrastructure sector
- Anyone else who has been informed
CISA will share the information with federal and non-federal partners to improve detection and the minimization of the harmful impacts on critical infrastructure entities, accelerate mitigation of exploited vulnerabilities, and allow software developers and vendors to develop more secure products. The information will also be shared with law enforcement to help with the investigation, identification, capture, and prosecution of the perpetrators of cybercrime.
Healthcare Industry Groups Give Feedback to CISA
The Workgroup for Electronic Data Interchange (WEDI) and the Medical Group Management Association (MGMA) have called for CISA to align the reporting time frame with the HHS’ Office for Civil Rights, as having to submit reports to multiple agencies will place a considerable administrative burden on healthcare organizations. MGMA believes the new reporting requirements will be overly burdensome for medical groups, and the duplicative reporting requirements may affect the ability of those groups to operate effectively, especially when dealing with a cyberattack.
MGMA explained that under HIPAA, covered entities must report cybersecurity incidents to the HHS’ Office for Civil Rights within 60 days for HIPAA compliance. Rather than layering different reporting requirements on each other, MGMA suggests that CISA should work closely with the HHS to seamlessly incorporate data that must reported under HIPAA. This will promote collaboration and prevent covered entities from reporting the same incident multiple times in different formats. MGMA said the sized-based criteria for reporting means small medical groups will not have the burden of reporting incidents but using the SBA definition means that many small physician offices will be impacted, even practices with annual revenues as low as $9 million.
The short timeframe for reporting incidents was criticized by WEDI, which said it could take longer than 72 hours to gather all the necessary information for the initial report. WEDI has called for CISA to be flexible with the reporting timeframe, such as allowing the initial report to be submitted with as much information as it has been possible to gather within 72 hours and allowing additional information to be submitted after that deadline as it becomes available. WEDI also proposes a carve-out for certain ransomware attacks. WEDI has requested that CISA not consider an attack to be a data breach if no protected health information has been accessed, provided the entity has made a good faith effort to deploy a recognized security program and has implemented security policies and procedures.
CHIME/AEHIS Members Express Concern
The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) have urged CISA to consider that the core mission of healthcare is patient safety and not to implement regulatory requirements that could jeopardize that mission.
One concern from their members is the reporting requirements under HIPAA, which require security breaches to be reported to OCR within 60 days of the discovery of a data breach. They are concerned that the clock would start ticking for reporting under HIPAA on the date of submission of the incident report to CISA, and that could create considerable additional burdens for HIPAA-regulated entities. CHIME and AEHIS have asked CISA to clarify the reporting requirements for managed service providers and other third-party service providers that provide products or services to HIPAA-covered entities, requesting that the service provider be considered the covered entity for reporting under CIRCIA.
After the initial incident report, critical infrastructure entities are required to submit supplemental reports following a significant cybersecurity incident, with those supplemental reports submitted without delay or as soon as possible. There is concern that with the threat of enforcement, HIPAA-covered entities may feel compelled to prioritize reporting of incidents over patient safety. CHIME/AEHIS have requested that the supplemental reports be submitted every 72 hours at a minimum or every 5 days, and for those reports to only be required if substantial new or different information becomes available.
CHIME/AEHIS point out that the definition of larger hospitals – those with 100 or more beds – is inadequate and that a more nuanced approach is required with other factors considered other than bed count, and not require reporting of incidents by critical access hospitals (CAHs), which are already under considerable financial strain. Making CAHs report incidents could increase the financial strain on the hospitals, leading to more closures and reduced access to healthcare for patients.
CHIME/AEHIS have received feedback from their members about the level of detail required by CISA about the security architecture of breached entities. “If CISA requires hospitals and healthcare systems to define their entire security architecture, that is a tremendous amount of information to include in a report,” explained the industry groups. “Our members do not believe that CISA needs to know an entire description of an organization’s security program – as it is not helpful to fulfill the purpose of CIRCIA, is potentially considered intellectual property (IP), and/or sensitive for the organization.”
AHA Requests Amendments to Ease Burden on Hospitals
The American Hospital Association (AHA) has also called for CISA to harmonize reporting with OCR to reduce the burden on hospitals and suggests the use of a single web-based report based on the Information Sharing and Analysis Center (ISAC) model that is already used by CISA. Concern has also been raised about the 72-hour reporting timeframe, especially considering the amount of information CISA requires in the reports.
The AHA considers the data retention period to be far too long at 2 years, especially considering the information that needs to be retained is data-dense. In addition to the costs of remediating an attack, hospitals would also have unbudgeted data management expenses to retain a huge amount of non-clinical, non-financial, and non-operational data, which may require significant additional data storage capacity and additional staff. The AHA has requested that CISA include a guarantee that the information in the reports will not be shared between federal agencies to prevent the information from being used to impose criminal liability or civil monetary penalties on entities that report cybersecurity incidents.
Like other commenters, the AHA believes the proposed rule’s exemption on insurers and other support entities makes no sense, considering how intertwined they are in healthcare. “Putting aside for a moment the considerable number of smaller specialty insurers, laboratories, and others that provide services and exchange data with hospitals and health systems, it does not make sense to think of any health insurers and clinical laboratories as disconnected outliers,” wrote the AHA. “In fact, they are health care entities, and all health care entities regardless of size are integral parts of the patient care continuum with shared risks and responsibilities regarding patient outcomes as we saw during the COVID-19 pandemic. They are directly integrated with codependent technology such that the cascading impact of a single entity’s system disruption can cripple the entire sector, which was the case in the Change Healthcare ransomware attack.”
The ambiguous and sometimes confusing language of the proposed rule has also been criticized, including the definition of “substantial cyber incident,” which could result in excessive disclosures of cybersecurity incidents and the under-reporting of potentially significant events. Further, the proposed rule states that actions taken in response to an attack could turn the incident into a reportable breach, such as the best practice of quickly shutting down systems or taking them offline. That action could turn a relatively minor incident into a reportable breach which could disincentivize organizations from acting swiftly to minimize the impact of a security incident.
While CISA has made an effort to exempt smaller hospitals from the reporting requirements, the AHA estimates that fewer than 60 hospitals would benefit from the current exemptions. i.e., they would have to have <$47 million in receipts, and not offer ER service to a population equal to or greater than 50,000, and have fewer than 100 beds, and not be a CAH. A better approach would be to do away with the exclusions and to simplify the reporting criteria to make it easy for all health sector entities to report incidents. “If the reporting requirements cannot be sufficiently simplified so as not to burden any entity in the sector, then CISA should broaden the exemption criteria so that any hospitals below 100 beds, including all CAHs, would be exempt from these incident reporting requirements,” suggests the AHA.
Like CHIME/AEHIS, the AHA also has an issue with the requirement to provide detailed security information to CISA and recommends the reporting requirements for security architecture and cybersecurity defenses be removed, as that information would be incredibly valuable to cybercriminals and could be targeted. While regulatory compliance is important, the AHA believes that it would be better to incentivize collaboration rather than threaten further punishment on hospitals and health systems responding to a criminal attack.
