Cybersecurity incident reporting rule would exclude insurers, vendors
A proposed rule by the Cybersecurity and Infrastructure Security Agency (CISA) would require swift reporting of cybersecurity incidents and ransomware attacks by several entities working in critical infrastructure, including hospitals.
However, healthcare provider groups and hospitals say the rule—which requires security incidents to be reported in 72 hours and ransom requests be reported in 24—must include third-party vendors and insurance companies if it is to be effective, especially after the breach of Change Healthcare effectively shut down reimbursement for much of the country.
In its proposed rule, first released in 2022, CISA has not included any language about regulatory requirements from health IT vendors, labs and insurance companies. This means they are effectively excluded while hospitals, urgent care centers and provider practices are explicitly mentioned.
The proposed rule is designed to help the federal government deploy its resources to thwart a cyberattack as it occurs. But, without expanding the reporting requirements to cover all sectors of the healthcare ecosystem, the rule effectively would only aid the government in responding to attacks on hospitals, critics argue.
To the American Hospital Association (AHA), the exclusion on insurers and other support entities doesn’t add up. In a lengthy statement released last week, the AHA argued that protecting critical infrastructure necessitates the CISA rule be expanded to insurers and other vendors, as they are now effectively intertwined with providers and hospitals.
“Putting aside for a moment the considerable number of smaller specialty insurers, laboratories and others that provide services and exchange data with hospitals and health systems, it does not make sense to think of any health insurers and clinical laboratories as disconnected outliers,” the AHA wrote. “In fact, they are health care entities, and all health care entities regardless of size are integral parts of the patient care continuum with shared risks and responsibilities regarding patient outcomes as we saw during the COVID-19 pandemic. They are directly integrated with codependent technology such that the cascading impact of a single entity’s system disruption can cripple the entire sector, which was the case in the Change Healthcare ransomware attack.”
What about HIPAA?
The AHA isn’t the only group concerned about the effectiveness of the rule. The College of Healthcare Information Management Executives (CHIME) has previously issued its own statement arguing the proposed rule needs to be expanded if the goal is to ensure healthcare services continue to function in the event of a cyber attack.
In response, CISA argued that healthcare-specific regulations already cover any entity that must adhere to the Health Insurance Portability and Accountability Act (HIPAA). Additionally, most attacks on healthcare are data breaches for commercial gain, and thwarting those is not CISA’s primary aim.
For CHIME, the overlapping regulation only creates more confusion for healthcare organizations already required to adhere to reporting requirements under HIPAA. Under the proposed rule by CISA, hospitals and provider groups will effectively need to adhere to two regulatory frameworks for reporting—and CHIME fears the turnaround times proposed by CISA are too difficult for hospitals and provider groups to adhere to.
Further, it isn’t clear if a report sent to CISA would then trigger the countdown for HIPAA-required patient notifications related to a data breach. Meaning, provider groups would be up against the clock to notify impacted patients before they’ve even had time to begin an investigation into what data was taken.
The last update to the CISA proposed rule was made in April 2024. You can read the full text here.