Can CISA’s New Cybersecurity Rules Strain Healthcare Operations?

The healthcare industry is facing significant challenges with the recent proposed rule from the Cybersecurity and Infrastructure Security Agency (CISA). This rule, under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), aims to enhance cybersecurity incident reporting requirements for critical infrastructure entities. While the goal is to improve national cybersecurity resilience, healthcare organizations argue that the new requirements could strain their operations.

The Proposed Rule and Its Objectives

Enhancing Cybersecurity Resilience

The proposed rule, introduced by CISA Director Jen Easterly, is designed to provide the federal government with a clearer understanding of cyber threats facing critical infrastructure while facilitating quicker and more coordinated responses to adversarial campaigns. By addressing these threats more efficiently, the rule aims to bolster national cybersecurity resilience. However, the healthcare sector, which frequently encounters cyber incidents, is particularly impacted by these proposed changes. The rule intends to enhance reporting practices, allowing federal agencies to quickly gather and act on information, thereby mitigating future risks. These changes are intended to foster greater preparedness and a more robust defense mechanism across all sectors, yet the healthcare domain faces distinct challenges.

Specific Requirements for Healthcare Entities

The proposal sets forth strict requirements targeting specific segments within the healthcare industry, including hospitals with 100 or more beds, critical access hospitals, manufacturers of essential medicines, and moderate-to-high-risk medical device makers. Various IT entities supporting healthcare operations are also subject to these new regulations. Health insurers, lab operators, and health IT providers are not explicitly mentioned in the proposal but are expected to adhere to general requirements based on their operational scale. Notably, health IT providers already comply with breach reporting mandates under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act rules. This layered oversight complicates compliance and necessitates a more harmonized approach to avoid redundant efforts and optimize resource allocation.

Concerns from Healthcare Providers

Strain on Resources and Operational Continuity

Healthcare provider and health tech groups have raised substantial concerns with the proposal, primarily highlighting the strain it places on organizations already struggling with cyberattack recovery. The American Hospital Association (AHA) argued that the proposed 72-hour incident reporting timeline would divert crucial resources away from maintaining clinical and operational continuity, deeming the requirement unreasonable. This rapid reporting timeframe can significantly detract from the primary focus of healthcare providers, which is to ensure uninterrupted and high-quality patient care. The urgency to compile and submit reports within such a short window is seen as not only impractical but also potentially detrimental to patient outcomes, further burdening already stretched resources.

Redundant Reporting Obligations

Furthermore, the College of Healthcare Information Management Executives (CHIME) and the Medical Group Management Association (MGMA) emphasized that the new requirements, layered on top of existing Health and Human Services regulations, create redundant reporting obligations. These organizations argue that redundant workflows could overwhelm healthcare systems, making it harder to respond effectively to cyber threats. They called for harmonization across agencies to streamline the reporting process and reduce the burden on healthcare organizations. The need for a unified approach is underscored by the complexity and volume of regulatory frameworks healthcare entities already navigate. Simplifying these processes could enable more focused and effective cybersecurity measures, thereby enhancing overall system resilience.

Data Preservation and Security Concerns

Extensive Data Log Preservation

One critical point of contention is the mandate for entities to preserve extensive data logs, forensics, and communications for two years following an incident. The American Hospital Association (AHA) highlighted the significant data storage capacity and additional staff required to meet this requirement, considering it overly burdensome. Ensuring the security and integrity of preserved data, while allocating resources to manage this information, poses a substantial challenge. This mandate not only involves significant financial and logistical investments but also necessitates advanced cybersecurity measures to prevent unauthorized access and breaches during the storage period, thus complicating compliance efforts further.

Risks of Reporting Cyber Defenses

Another significant concern is the requirement for entities to report detailed outlines of their cyber defenses to CISA. Members of the College of Healthcare Information Management Executives (CHIME) feared that such highly sensitive information could become targets for criminals, essentially providing a roadmap for attacks. The American Hospital Association (AHA) noted that a past breach of CISA’s systems could further compromise the security of the reported information. The apprehension is that disclosing intricate details of cybersecurity measures could inadvertently expose weaknesses, putting the entire system at risk. This dilemma underscores the need for a balanced approach that ensures effective oversight without endangering the very entities it aims to protect.

Inclusion Criteria and Third-Party Vendors

Undefined Inclusion Criteria

Healthcare groups also expressed concerns about the undefined inclusion criteria for health insurers, health IT vendors, and other third parties. These entities are deeply interconnected with direct care providers, and their involvement is crucial for comprehensive cybersecurity efforts. There is a need for explicit inclusion in the reporting requirements to ensure no loopholes exist within the interconnected systems. For instance, the American Medical Association (AMA) cited the attack on Change Healthcare, underscoring the interconnectedness within the healthcare sector and the potential for widespread disruption stemming from a single vendor breach. The vagueness regarding which entities fall under the purview of these regulations demands clarification to foster robust, coordinated cybersecurity defenses across the board.

Risks of Excluding Key Entities

CHIME warned that excluding entities such as insurers or health IT clearinghouses could result in self-assessments that potentially exclude them from compliance with CIRCIA, noting the risks this poses to coordinated cybersecurity efforts. This oversight could undermine comprehensive cybersecurity strategies, leading to vulnerabilities within the entire healthcare ecosystem. The potential risks of such exclusion extend beyond individual entities, potentially compromising the broader network of interconnected systems vital to healthcare operations. As the healthcare sector increasingly relies on integrated platforms and collaborative networks, ensuring that every link in the chain adheres to robust cybersecurity protocols becomes paramount for mitigating broader risks.

Calls for Simplified and Uniform Reporting

Simplified Reporting Requirements

AHIP, representing health insurers, echoed calls for simplified and uniform reporting requirements. They sought clarity on what constitutes a “covered cyber incident” and proposed that third-party vendors, such as health IT providers and other HIPAA business associates, act as the primary reporting entity for their customers. This approach could streamline the process and reduce redundancy, thereby optimizing the efficiency of reporting mechanisms. Simplified reporting channels would enable faster communication, reducing the administrative burden on individual healthcare entities while ensuring that essential information reaches the relevant authorities promptly.

Harmonization Across Regulations

The healthcare sector is currently grappling with significant challenges due to a recent proposed rule introduced by the Cybersecurity and Infrastructure Security Agency (CISA). This proposed regulation is part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The primary objective of this rule is to bolster cybersecurity incident reporting requirements for critical infrastructure entities, including healthcare organizations. While the initiative seeks to enhance the nation’s cybersecurity resilience, many within the healthcare industry argue that the new demands may impose additional burdens on their already strained operations.

Healthcare organizations are particularly concerned about the practicality and feasibility of complying with these new requirements. They fear that the increased administrative load could divert resources away from patient care, which is their primary mission. There is also anxiety about the potential costs involved in upgrading systems and protocols to meet the stringent reporting standards. These concerns point to a broader issue: the need to balance improved cybersecurity measures with the operational realities and resource constraints faced by healthcare providers.

Subscribe to our weekly news digest

Keep up to date with the latest news and events

Paperplanes Paperplanes Paperplanes
Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later