WEDI provides feedback on CISA’s cyber incident reporting rules

The Electronic Data Interchange Working Group last week provided comments in response to the Department of Homeland Security’s publication of a proposed rulemaking regarding cybersecurity reporting requirements.

WHY IT MATTERS
The recent Notice of Proposed Rulemaking from DHS’s Cybersecurity and Infrastructure Security Agency, the Cyber ​​Incident Reporting Requirements for Critical Infrastructure (CIRCIA).

In his letter to CISAWEDI — which aims to foster collaboration among diverse stakeholders to leverage expertise and information to enhance the promise of data-driven efficiency, quality, and cost in health care — cautioned the DHS agency to take a careful approach to its rules on mandatory reporting for already overburdened health care facilities.

  • Balancing Timely Reporting and Administrative Burden: WEDI strongly supports CIRCIA’s intent to address the growing risk of cyberattacks on the nation’s critical infrastructure sectors, including healthcare. However, when developing policies and procedures related to cyber incident reporting, we urge CISA to consider the challenges covered entities face during and immediately after experiencing a cyberattack. We advise CISA to strike the right balance between requiring timely, accurate, and comprehensive information from the affected entity and the need to avoid imposing onerous administrative burdens on organizations while experiencing a highly disruptive event.

  • Ensuring CISA Properly Protects Submitted Information: While we appreciate the proposed rule outlining the processes and procedures covered entities must implement to preserve data and records related to the cyberattack, we urge CISA to include in the final rule information regarding how CISA itself will protect and manage the information contained in cyber incident reports and supplemental reports received from covered entities. It is critical that CISA take the necessary steps to protect all information provided by a covered entity in response to CIRCIA’s reporting requirements and implement the highest level of security measures to prevent this information from being accessed inappropriately. This reported material may include proprietary, sensitive information regarding a covered entity’s internal network, infrastructure-related information, and security measures. All report information provided to CISA must be kept confidential and may not be used for purposes other than those required under CIRCIA.

  • Align Reporting Requirements: We strongly urge CISA to align its reporting timelines and requirements with those of other federal partners, including HHS/Office for Civil Rights, to reduce the administrative burden for covered entities that may need to submit incident reports to multiple agencies. Entities covered by both HIPAA and CIRCIA would be required to report only once, via OCR, to comply with both rules, under CIRCIA’s substantially similar reporting exception.

  • Add Flexibility to the 72-Hour Reporting Requirement: Cyberattacks are disruptive and confusing to the entities that experience them. We continue to believe that for many victims of these types of attacks, it may take more than 72 hours to fully identify all required data elements for the initial report. Our recommendation is that CISA add flexibility to this requirement, allowing covered entities to submit an initial report within 72 hours on a best efforts basis, while allowing for updates to be submitted as more information and analysis becomes available.

  • Determining That a Ransomware Attack Is Not Always an Enforceable Data Breach: We strongly recommend that the federal government establish a policy to determine that ransomware will not be considered a data breach if the covered entity has implemented a recognized security program and no PHI was accessed. Should no data breach occur that results in data access by unauthorized entities, and the covered entity is shown to have made a good faith effort to implement a recognized security program and has security policies and procedures in place, then the covered entity should not be considered to have suffered a data breach.

THE BIGGER TREND
CISA first revealed the proposed cyber incident reporting structure in March this year, with requirements targeting various industries across 16 critical sectors.

The agency’s development of the proposed cyber incident reporting rules followed the passage of the Cyber ​​Incident Reporting for Critical Infrastructure Act of 2022. Covered organizations would be required to report cyber incidents under CIRCIA after the final rulemaking.

WEDI has been busy advocating for health systems affected by cybersecurity incidents. In May wrote to the U.S. Department of Health and Human Services asking it to do more to help healthcare organizations manage the impact of cyberattacks. It also outlined steps HHS could take to help mitigate the impact of ransomware and other cyberattacks.

ON THE RECORD
“Most importantly, the incident reporting process must be simple and easy to complete for the covered entities reporting,” WEDI said in its July 2 letter. “Ease of completion can be achieved by including comprehensive instructions that can be reviewed before initiating the process, using drop-down menus instead of free-form statements whenever possible, and limiting the number of questions to the minimum necessary to achieve the purpose of the reporting.”

Mike Miliard is Editor-in-Chief of Healthcare IT News
Email the author: mike.miliard@himssmedia.com
Healthcare IT News is a publication of HIMSS.