Healthcare and hospital groups advocate for a federal cybersecurity reporting proposal to include insurers and third-party vendors, highlighting the impact of a major cyberattack on Change Healthcare. The proposal from the Cybersecurity and Infrastructure Security Agency (CISA) mandates companies in critical infrastructure sectors to report cyber incidents within 72 hours and document ransom payments within 24 hours. CISA chose not to set sector-specific reporting criteria for insurance companies, health IT providers, and labs or diagnostics facilities. The American Hospital Association argues that excluding these sectors doesn’t make sense, as disruptions to a single company can affect the entire industry.
The anticipated rule from CISA aims to enable the federal government to quickly assist critical infrastructure providers and gather information on cyberattacks. The rule could cover over 316,000 entities, based on agency estimates.
CISA explained that sector-specific criteria for insurers or labs were unnecessary because many of these entities would be included under the size-based criteria applicable to all critical infrastructure sectors. They noted that the primary cyber incidents for health IT developers are data breaches, which are not the main focus of this rulemaking and are already subject to healthcare-specific reporting regulations.
However, industry groups such as the American Hospital Association, the American Medical Association, and the College of Healthcare Information Management Executives have highlighted the interconnected nature of the sector. They noted that a cyberattack on a third party could have widespread repercussions.
CHIME expressed uncertainty regarding whether UnitedHealth subsidiary Change, a technology firm and large medical claims processor recently affected by a major cyberattack, would have been required to report under the proposed rule. The group suggested that Change might not meet the size-based criteria and is not included under healthcare sector-specific criteria.
Russell Branzell, president and CEO of CHIME, indicated that many third-party entities in the healthcare ecosystem might not be considered ‘covered entities’ under the proposal, thus not obligated to report significant cyber incidents.
Some groups have raised concerns about the proposed reporting timelines, noting that HIPAA reporting obligations could be triggered by the cyber rule, increasing the burden on providers. They also mentioned that different regulations could result in duplicate reporting requirements.
America’s Essential Hospitals, representing safety-net hospitals, requested more flexibility in reporting cyber incidents, arguing that strict 24- and 72-hour deadlines could detract from patient care during a crisis. They also sought financial support, citing limited cybersecurity budgets and insufficient staffing as challenges for under-resourced hospitals.
Bruce Siegel, president and CEO of America’s Essential Hospitals, suggested that alleviating these burdens by providing technical assistance and a phased reporting process would help essential hospitals manage critical incidents more effectively without compromising patient care or financial stability.