Industry groups express concern over proposed CIRCIA reporting requirements

The Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule in March 2024 regarding reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). In public comments, the American Hospital Association (AHA) and the Medical Group Management Association (MGMA) expressed concerns about how the rule will affect healthcare entities that are already subject to other cybersecurity incident reporting requirements.

CIRCIA, which was enacted in March 2022, requires CISA to develop and implement regulations that require covered entities to report cyber incidents and ransomware payments to CISA. Although the law has been in effect since 2022, the reporting requirements will not go into effect until CISA completes its formal rulemaking process. The final rule is expected to be published in 2025.

Specifically, CIRCIA requires CISA to develop regulations requiring covered entities to report any covered cyber incidents to CISA within 72 hours from the time the entity reasonably believes the cyber incident occurred. Covered entities would also be required to disclose ransomware payments within 24 hours of the payment.

The NPRM consists of 20 sections that define key terms, outline CISA’s plan for harmonizing CIRCIA with other regulations and explore its proposed penalties.

Healthcare entities are already subject to the HIPAA Breach Notification Rule and other regulations, leading industry groups to question whether additional reporting requirements would be feasible or necessary.

“Specifically, the reporting proposed by CISA is redundant to what is required by other federal agencies, adding unnecessary burden to what the hospital must do at the same time that it is working to ensure patients are getting the care they need despite the crippling of vital electronic systems,” Ashley Thompson, senior vice president of public policy at the AHA, stated in a letter to CISA Director Jen Easterly.

The AHA recommended that CISA convene the relevant federal and state agencies to agree on a uniform reporting process prior to introducing any new reporting requirements. Specifically, the AHA recommended that CISA look into a web-based reporting process based on the Information Sharing and Analysis Center (ISAC) model already used by CISA.

Similarly, MGMA pointed out the need for further harmonization in its letter to CISA.

“Medical groups are already subject to various reporting requirements from HHS under HIPAA. Instead of implementing the duplicative reporting requirements in this proposed rule, we strongly urge CISA to work closely with HHS to avoid layering complex requirements on one another,” MGMA stated.

“While there are different timeframes for HIPAA Breach Notification Rule, the agencies should work together to seamlessly incorporate data that will already be reported to not only promote collaboration but ease the burden of reporting on the same incident multiple times in multiple different formats.”

MGMA also stressed that while it appreciates CISA’s need for timely data, healthcare entities may need flexibility so they can focus on patient care amid a cyber disruption.

Both the AHA and MGMA also took issue with CISA’s vague definition of a “substantial cyber incident,” which it defines as “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.” 

What’s more, both groups scrutinized the proposed penalty system, which would refer unreported cyber incidents to the Attorney General to potentially bring a civil action and contempt of court actions against the entity that experienced a cyber incident.

“The AHA acknowledges that the spread and impact of cybercrime require the federal government to take strong actions to protect American citizens,” the AHA’s letter stated. “However, punishing victims is counterintuitive and counterproductive.”

Both the AHA and MGMA recommended that CISA work alongside victim entities to incentivize collaboration rather than inflicting further punishment.

While enhanced cyber incident reporting requirements would undoubtedly provide crucial data to CISA to prevent future incidents, industry groups suggest that the proposed rule needs some changes to be reasonable for the healthcare sector.