The American Hospital Association is raising concerns about hospital reporting requirements proposed by the Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act.
On July 3, the AHA penned a letter to Jen Easterly, director of CISA, saying the proposed requirements for hospitals are "redundant with what other federal agencies require and that they place an unnecessary burden on hospitals."
On March 27, CISA proposed a new rule for healthcare organizations when it comes to cybersecurity incident reporting. According to this rule, hospitals and health systems must report any covered cyber incidents, ransom payments made in response to ransomware attacks and any significant new information related to a previously submitted report to the agency within specific time frames.
The AHA highlighted several issues it sees with the rule and urged the agency to make several changes, stating that:
- Federal agencies need to ensure data remains anonymous.
- Reporting rules should be clear and apply to the entire health sector due to their interconnected relationships.
- Reporting requirements should be simplified because they create significant burdens and privacy risks for hospitals and health systems.
- There should be a clearer explanation of penalties and when they apply.
- Penalties are too harsh, especially when the organization was a victim of an attack by a malicious group or nation-state.
The AHA is asking the organization to simplify reporting burdens for hospitals and to agree to a "uniform" reporting process.