Health systems and industry trade groups are objecting to new cybersecurity reporting requirements proposed by the Cybersecurity and Infrastructure Security Agency.
The recommended rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 would, among other things, require covered entities to report cyberattacks within 72 hours and ransom payments within 24 hours. The proposal, which is estimated to cost the industry $1.4 billion, would exempt small and critical access hospitals.
"The AHA recommends that CISA revise the proposed rule to incentivize collaboration rather than threaten further punishment on hospitals and health systems responding to a criminal attack," wrote Ashley Thompson, senior vice president of public policy for the American Hospital Association, in a July 2 public comment.
Health systems that submitted public comments on the proposal included Oakland, Calif.-based Kaiser Permanente, Sacramento, Calif.-based Sutter Health, Grand Rapids and Southfield, Mich.-based Corewell Health, Detroit-based Henry Ford Health, Minneapolis-based Fairview Health Services, West Des Moines, Iowa-based UnityPoint Health, Duluth, Minn.-based Essentia Health, and Tampa (Fla.) General Hospital. Other organizations that commented included the College of Healthcare Information Management Executives, Epic, HIMSS, the Federation of American Hospitals, and America's Essential Hospitals.