Healthcare Industry Pushes Back on New Cyberattack Reporting

For more than a decade, the healthcare industry has consistently been a top target for cyberattacks. In the U.S. alone, attacks against the healthcare sector were up 128 percent in 2023. This article posted by the Atlanta law firm of Chilivis Grubman discusses a new federal notification rule that would require companies and organizations, including healthcare providers, to report cyberattacks within 72 hours.

The ongoing spike in healthcare cyberattacks has left regulatory agencies and providers unable to agree on policy that provides timely protections for victims without causing undue burden on the healthcare providers working to treat patients in the midst of an attack.

The Cyber Security and Infrastructure Security Agency’s (CISA) newly proposed notification rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCA) received significant pushback from healthcare stakeholders during its recent comment period. The rule would require companies and organizations, including healthcare providers, to report cyberattacks within 72 hours and paid ransoms within 24 hours.

CISA stated that the reason for the proposed rule is that the agency is not learning about many cyberattacks in a timely way, making it difficult to help victims, spot trends and warn other companies about vulnerabilities.

A comment letter by the Medical Group Management Association (MGMA) stated that the “burdensome, confusing, and duplicative reporting requirements may impact medical groups’ ability operate effectively, especially in the midst of a significant cyberattack.” Many healthcare stakeholders criticized CISA’s new rule for being duplicative of HIPAA’s Breach Notification Rule, suggesting that entities subject to both HIPAA and CISA’s Breach Notification Rules should only have to report once, through OCR, to remain in compliance with both rules.

Although the CIRCA notification timeline differs from the HIPAA Breach Notification Rule, stakeholders like MGMA urge the agencies to “work together to seamlessly incorporate data that will already be reported to not only promote collaboration but ease the burden of reporting on the same incident multiple times in multiple different formats.” 

A comment letter by College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security critiqued the proposed rule for requiring reporting entities to provide “a description of the covered entity’s security defenses.” This is not only a great deal of information for organizations to compile within the 72-hour notice period, the letter said, but is also “a dangerous treasure trove if obtained by bad actors.”

These concerns are just some of the reasons why stakeholders are asking CISA to allow flexibility in its reporting requirements. Chelsea Arnone, director of federal affairs for CHIME, also raised concerns about the rule’s enforcement terms, noting that they punish organizations that are victims of cyberattacks, and that despite well-resourced hospitals’ best efforts and investments into securing their networks, they are “facing a constant threat from people that have nothing but time and want to inflict damage.”

The proposed rule estimates that the cost of compliance to the industry will be $1.4 billion. Although the CIRCA notification rule proposes a size-based threshold reporting requirement, there are concerns that using the current SBA small-business standard will still unduly impact smaller providers reporting revenue of as low as $9 million per year. Even with the Biden Administration’s proposed $500 million 2025 budget for hospitals to bolster cyber defenses, medical groups will need similar financial aid to implement adequate infrastructure to combat increasingly sophisticated cyberattacks. 

The American Hospital Association called CISA’s definition of “substantial cyber incident” ambiguous, saying it could result in both excessive disclosures of cybersecurity incidents and the underreporting of potentially significant events. With the comment period for this proposed rule closing last Wednesday, CISA will now have 18 months to issue a final rule.

It is worth noting that should the final iteration of this rule leave room for any ambiguous or unclear interpretations, the recent SCOTUS reversal of the Chevron doctrine makes it uncertain how the ambiguity will be resolved.

The attorneys at Chilivis Grubman handle all types of cyber incidents, including data breaches and ransomware attacks, and are experienced counselors regarding breach response and reporting. MagMutual has extensive resources on cyber and regulatory issues in our Learning Center and offers cyber and regulatory coverage for healthcare providers.