WEDI offers feedback on CISA's cyber incident reporting rules

While the healthcare group "strongly supports" CIRCIA's security goals, it's urging the Homeland Security agency to "consider the challenges covered entities face during and immediately after experiencing a cyberattack."
By Mike Miliard
10:35 AM

The Workgroup for Electronic Data Interchange this past week offered its comments today in response to the publication of a proposed rule from the Department of Homeland Security regarding cybersecurity reporting requirements.

WHY IT MATTERS
The recent notice of proposed rulemaking from DHS's Cybersecurity and Infrastructure Security Agency, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements.

In its letter to CISA, WEDI – which aims to foster collaboration among various stakeholders to  help harness expertise and information to boost the promise of data-driven efficiency, quality and cost across healthcare – cautioned the DHS agency to take a careful approach to its rules on mandated reporting for already overburdened health organizations.

WEDI urged CISA to recognize the challenges of timely reporting, given healthcare organizations' administrative burdens. While it "strongly supports the intent of CIRCIA to address the growing risk of cyberattacks impacting the nation’s critical infrastructure sectors," the group said, it also urged CISA to "consider the challenges covered entities face during and immediately after experiencing a cyberattack. We counsel CISA to strike the appropriate balance between requiring in a timely manner accurate and comprehensive information from the impacted entity with the need to avoid imposing onerous administrative burdens on organizations while they are experiencing a highly disruptive event."

In its other suggestions, WEDI called on DHS to:

  • Ensure CISA appropriately protects submitted information. "It is critical that CISA take the steps necessary to protect all information provided by a covered entity in response to CIRCIA reporting requirements and apply the highest level of security controls to prevent this information from being inappropriately accessed," said WEDI, which noted that such data might include "proprietary, sensitive information related to a covered entity’s internal network, infrastructure-related information and security controls."

  • Keep reporting requirements aligned. WEDI called on CISA to ensure its time lines and requirements line up with those of other federal agencies, such as HHS and its Office for Civil Rights, with the goal of decreasing the administrative burden faced by covered entities who could have to submit incident reports to multiple enforcement agencies. "Entities covered under both HIPAA and CIRCIA should only be required to report once, through OCR, to be compliant under both rules," it said.

  • Build-in flexibility to its 72-hour reporting rules. "Cyberattacks are disruptive and confusing for the entities experiencing them," the letter reads. "We continue to believe that for many victims of these types of attacks it could take more than 72 hours to fully identify all the data elements required for the initial report." WEDI called for wiggle room that would allow entities to "submit an initial report to the best of their ability within 72 hours while allowing updates to be submitted as more information and analysis become available."

  • Recognize that a ransomware attack does not always mean an enforceable breach. WEDI asks that the government "institute a policy to establish that ransomware is not considered a data breach when the covered entity has deployed a recognized security program and when no PHI has been accessed." In cases where data has not been accessed by unauthorized entities, and where covered healthcare organizations are shown to have made a good faith effort to deploy a "recognized security program and instituted security policies and procedures," it says, that covered entity "should not be deemed to have experienced a data breach."

THE LARGER TREND
CISA first unveiled the proposed cyber incident reporting structure this past March, with requirements targeted for different industries across 16 critical sectors.

The agency development of the proposed cyber incident reporting rules followed the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Covered organizations would have to start reporting cyber incidents under CIRCIA following the final rule.

WEDI, meanwhile, has been busy advocating for health systems impacted by cybersecurity incidents. In May, it wrote to the U.S. Department of Health and Human Services asking it to do more to help healthcare organizations manage the fallout from cyberattacks, outlining steps HHS could take to help ameliorate the effects of ransomware and other cyberattacks.

ON THE RECORD
"Most importantly, the incident reporting process must be straightforward and easy to complete for those covered entities reporting," said WEDI in its July 2 letter. "Ease of completion can be achieved by including comprehensive instructions that can be reviewed prior to starting the process, leveraging drop-down menus as opposed to free-form exposition as much as possible, and limiting the number of questions to the minimum required to achieve the purpose of the reporting."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.