Proposed CISA rule would require reporting for cyber incidents and ransom payments

In healthcare, larger hospitals, all critical access hospitals, essential drug manufacturers and Class II and Class III devices would fall under the draft mandatory reporting rules, but health IT developers and others would not.
By Andrea Fox
10:43 AM

Photo: Morsa Images/Getty Images

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is proposing a sweeping cyber incident reporting structure across 16 critical sectors, according to its notice of proposed rulemaking published in the Federal Register (PDF) on Wednesday.

CISA said it would provide 60 days for written public comments when the proposed rule is published on April 4.

WHY IT MATTERS

The security agency's development of the proposed cyber incident reporting rules followed the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. 

Covered organizations would have to start reporting cyber incidents under CIRCIA following the final rule, which CISA said it expects to publish within 18 months from the close of the comment period. 

While the proposed rule offers sector-based criteria, which highlights medical device manufacturing as an example, CISA is proposing an entity-based criteria structure after considering the reach of these requirements across various alternative scenarios, the agency said.

Under proposed sector-based criteria, CISA proposes certain types of facilities that perform certain functions that would extend the definition of a covered entity across an organization. 

For example, "the Healthcare and Public Health sector-based criteria would include, among others, entities that manufacture any Class II or III medical device," CISA said.

However, while criteria focus on certain types of facilities "as the basis of determining whether an entity is a covered entity, CISA is proposing that the entire entity (e.g., corporation, organization), and not the individual facility or function, is the covered entity," the agency said.

If reporting were limited to incidents that impact only specific facilities or functions identified in the sector-based criteria, the agency's ability to perform a sector-specific cybersecurity threat and trend analysis "might not be possible," CISA said.

That means that if a covered entity experiences a substantial cyber incident or makes a ransom payment across any function or facility, that would trigger the mandatory cyber incident reporting. 

In the proposal, reporting would be required even when the incident does not impact the sector-defined facility, for example, the manufacturer of Class II or III medical devices, CISA said.

"Similarly, if an entity manufactures Class II or III medical devices, in addition to other functions that do not meet one of the sector-based criteria, the entire entity is the covered entity and any substantial cyber incident experienced by any part of the entity would need to be reported," CISA said.

In the nearly 500-page document developed over two years, CISA explains the alternatives it considered and why each was rejected.

For example, in Alternative 4, Increase the Affected Population to All Critical Infrastructure Entities, CISA said it widened the description of covered entities to include "all entities" operating across the 16 critical infrastructure sectors.

"Under this alternative, the affected population would increase from 316,244 covered entities to 13,180,483 covered entities increasing the number of expected CIRCIA reports from 210,525 to 5,292,818 over the analysis period." 

"This would significantly increase the cost to industry, which is estimated to be $31.8 billion over the analysis period, or $3.5 billion annualized, discounted at 2%," said CISA.

In the healthcare section, CISA reviewed existing cybersecurity regulations that already require reporting to various agencies, including the Food & Drug Administration and the Department of Health and Human Services.

"In light of the sector’s broad importance to public health, the diverse nature of the entities that compose the sector, the historical targeting of the sector and the current lack of required reporting unrelated to data breaches or medical devices, CISA proposes requiring reporting from multiple parts of this sector," the agency said.

In the proposed rule, CISA is focusing on hospital reporting and not all types of facilities that provide patient care, "as they routinely provide the most critical care of these various types of entities, and patients and communities rely on them to remain operational, including in the face of cyber incidents affecting their devices, systems and networks to keep them functioning."

To further protect healthcare delivery, CISA also expanded new requirements on utilities that affect patient care, such as the water/wastewater sector.

THE LARGER TREND

Research has shown that half of ransomware attacks have disrupted healthcare delivery. Beyond the breach of protected data, common disruptions to healthcare delivery included electronic system downtime, cancellations of scheduled care and ambulance diversion. 

Before proposing cyber incident reporting rules, CISA announced the creation of its Ransomware Vulnerability Warning Pilot, a program required by CIRCIA, last year.

The purpose of the program is to leverage CISA's existing tools, like its Cyber Hygiene Vulnerability Scanning service, to mitigate ransomware impacts and warn organizations at risk.

"Many of these incidents are perpetrated by ransomware threat actors using known vulnerabilities," CISA said in its RVWP program FAQ. "By urgently fixing these vulnerabilities, organizations can significantly reduce their likelihood of experiencing a ransomware event."

ON THE RECORD

"In designing the proposed rule, CISA sought the approach that would provide the best balance between qualitative benefits and the costs associated with implementation of the rule," the agency said in the NOPR.

"In establishing these proposed criteria, CISA also considered including criteria related to health insurance companies, health IT providers and entities operating laboratories or other medical diagnostics facilities," it added. "Ultimately, CISA determined it was not necessary to include specific sector-based criteria for any of those three industry segments."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.