The proposed CISA rule would require reporting for cyber incidents and ransom payments
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is proposing a comprehensive cyber incident reporting structure across 16 critical sectors, according to the notice of proposed rulemaking published in the Federal Register (PDF) on Wednesday.
CISA said it would allow 60 days for written public comments when the proposed rule is published on April 4.
WHY IT MATTERS
The security agency’s development of the proposed rules for reporting cyber incidents followed the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA.
Covered organizations would be required to begin reporting cyber incidents under CIRCIA under the final rule, which CISA expects to publish within 18 months of the end of the comment period.
While the proposed rule provides sector-based criteria, using medical device manufacturing as an example. CISA is proposing an entity-based criteria structure after considering the scope of these requirements under several alternative scenarios, the agency said.
Based on the proposed industry-based criteria, CISA proposes certain types of facilities that perform certain functions, which would expand the definition of a covered entity within an organization.
“For example, the healthcare and public health-based criteria include entities that manufacture Class II or III medical devices,” CISA said.
However, although the criteria focus on certain types of facilities “as a basis for determining whether an entity is a covered entity, CISA proposes that the entire entity (e.g., a business, organization), and not the individual facility or function , is the covered entity.” entity,” the agency said.
If reporting were limited to incidents affecting only specific facilities or functions identified in the sector-based criteria, the agency’s ability to conduct a sector-specific cybersecurity threat and trend analysis “may not be possible,” according to CISA.
This means that if a covered entity experiences a substantial cyber incident or pays a ransom for a feature or facility, this would trigger mandatory cyber incident reporting.
The proposal would require reporting even if the incident does not impact the industry-defined facility, such as the manufacturer of Class II or III medical devices, CISA said.
“Similarly, if an entity manufactures Class II or III medical devices, in addition to other functions that do not meet any of the sector-based criteria, the entire entity is the covered entity and any substantial cyber incident experienced by any part of the entity is reported should be,” CISA said.
In the nearly 500-page document, developed over two years, CISA explains which alternatives it considered and why each was rejected.
For example, in Alternative 4, “Expand Affected Population to Include All Critical Infrastructure Entities,” CISA said it has expanded the definition of covered entities to include “all entities” operating in the 16 critical infrastructure sectors.
“Under this alternative, the affected population would increase from 316,244 covered entities to 13,180,483 covered entities, increasing the number of expected CIRCIA reports during the analysis period from 210,525 to 5,292,818.”
“This would significantly increase costs to the industry, which are estimated at $31.8 billion over the analysis period, or $3.5 billion annually, with a 2% discount,” CISA said.
In healthcare, CISA reviewed existing cybersecurity regulations that already require reporting to several agencies, including the Food & Drug Administration and the Department of Health and Human Services.
“In light of the sector’s broad importance to public health, the diverse nature of the entities comprising the sector, the sector’s historical target audience, and the current lack of mandatory reporting unrelated to data breaches or medical devices, CISA to require reporting from multiple organizations. parts of this sector,” the agency said.
In the proposed rule, CISA focuses on hospital reporting and not all types of facilities that provide patient care, “as they routinely provide the most critical care of these different types of entities, and patients and communities depend on them to remain operational, including in light of cyber incidents that affect their devices, systems and networks to keep them functioning.”
To further protect healthcare, CISA has also expanded new requirements for utilities that impact patient care, such as the water/wastewater sector.
THE BIG TREND
Research has shown that half of ransomware attacks have disrupted healthcare. In addition to the breach of protected data, common healthcare disruptions include electronic system outages, cancellations of scheduled care, and ambulance diversions.
Before CISA proposed rules for reporting cyber incidents, it announced last year the creation of its Ransomware Vulnerability Warning Pilot, a program required by CIRCIA.
The goal of the program is to leverage CISA’s existing tools, such as the Cyber Hygiene Vulnerability Scanning service, to limit the impact of ransomware and alert organizations at risk.
“Many of these incidents are perpetrated by ransomware threat actors exploiting known vulnerabilities,” CISA says in its RVWP program FAQ. “By urgently resolving these vulnerabilities, organizations can significantly reduce the likelihood of a ransomware event.”
ON THE RECORD
“In designing the proposed rule, CISA sought the approach that would best balance qualitative benefits and the costs associated with implementing the rule,” the agency said in the NOPR.
“In establishing these proposed criteria, CISA also considered including criteria related to health insurers, health IT providers, and entities that operate laboratories or other medical diagnostic facilities,” it added. “Ultimately, CISA determined that it was not necessary to include specific sector-based criteria for any of these three industry segments.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.