Last week, the Electronic Data Exchange Working Group issued comments today in response to the Department of Homeland Security’s publication of proposed regulations related to cybersecurity reporting requirements.
WHY IT MATTERS
Recent Notice of Proposed Rulemaking from DHS’s Cybersecurity and Infrastructure Security Agency, Reporting Requirements Under the Critical Infrastructure Cyber Incident Reporting Act (CIRCIA).
In a letter to CISA, WEDI – an organization that aims to foster multi-stakeholder collaboration to help harness expertise and information to advance the promise of data-driven efficiency, quality, and cost across the health care industry – warned DHS to be cautious when applying mandatory reporting rules to already overwhelmed health care organizations.
WEDI urged CISA to recognize the challenges of timely reporting, given the administrative burden on healthcare organizations. While “strongly supporting CIRCIA’s intent to address the growing risk of cyberattacks impacting the nation’s critical infrastructure sectors,” the group said, it also urged CISA to “consider the challenges faced by covered entities during and immediately after experiencing a cyberattack. We recommend that CISA appropriately balance the need to request timely, accurate, and comprehensive information from affected entities with the need to avoid imposing a burdensome administrative burden on organizations while they are experiencing a highly disruptive event.”
In other recommendations, WEDI calls on DHS to:
-
Ensure CISA appropriately protects submitted information. “It is important that CISA take the necessary steps to protect any information provided by a covered entity to meet CIRCIA reporting requirements and apply the highest level of security controls to prevent this information from being accessed for improper purposes,” WEDI said, noting that such data could include “sensitive, proprietary information related to a covered entity’s internal network, infrastructure, and security controls.”
-
Maintain consistency between reporting requirements. WEDI urges CISA to ensure its timelines and requirements are consistent with those of other federal agencies, such as HHS and its Office for Civil Rights, with the goal of reducing the administrative burden faced by covered entities that may be required to submit incident reports to multiple enforcement agencies. “Covered entities under both HIPAA and CIRCIA should only be required to report once, through OCR, to comply with both rules,” WEDI said.
-
Build flexibility into the 72-hour reporting rule. “Cyberattacks are disruptive and confusing to the entities that encounter them,” the letter reads. “We continue to believe that for many victims of these types of attacks, it may take more than 72 hours to fully identify all data elements required for an initial report.” WEDI calls for space for entities to “file an initial report to the best of their ability within 72 hours while allowing for updates to be submitted as additional information and analysis becomes available.”
-
Understand that a ransomware attack does not always mean an enforceable breach. WEDI requires the government to “establish a policy to determine that ransomware is not considered a data breach when the covered entity has implemented a recognized security program and when no PHI is accessed.” In cases where data is not accessed by unauthorized entities and where the covered health care organization can be shown to have made a good faith effort to implement “a recognized security program and establish security policies and procedures,” the covered entity “should not be considered to have experienced a data breach.”
THE BIGGER TREND
CISA first published its proposal for a cyber incident reporting structure last March, with requirements aimed at a variety of industries across 16 critical areas.
The agency is developing proposed cyber incident reporting rules following the passage of the Critical Infrastructure Cyber Incident Reporting Act of 2022. Covered entities will be required to begin reporting cyber incidents under CIRCIA after the final rule is issued.
Meanwhile, WEDI has been busy advocating for health systems affected by cybersecurity incidents. In May, WEDI wrote to the U.S. Department of Health and Human Services asking it to do more to help health care organizations manage the fallout from cyberattacks, outlining steps HHS could take to help mitigate the impact of ransomware and other cyberattacks.
ON PROFILE
“Most importantly, the incident reporting process should be simple and easy for covered entities to complete when reporting,” WEDI said in the July 2 letter. “This can be accomplished by including comprehensive instructions that can be reviewed before initiating the process, utilizing drop-down menus rather than free-form presentations as much as possible, and limiting the number of questions to the minimum necessary to achieve the purpose of the report.”
Mike Miliard is executive editor of Healthcare IT News
Email the author: [email protected]
Healthcare IT News is a publication of HIMSS.
