EHR Association Privacy & Security Workgroup

The Cybersecurity and Infrastructure Security Agency (CISA), responsible for coordinating cybersecurity programs within the U.S. and improving the government’s cybersecurity protections, proposed new reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. The proposed rule lays out what incidents must be reported, by whom, and what the reports must contain. While the EHR Association provided comments of support for most areas, suggestions for potential refinement were also offered. 

Reporting Requirements for Substantial Cyber Incidents (What Is Reported)

Digital malfeasance can take many forms, creating a complex and potentially unwieldy regulatory environment. CISA suggests a seemingly simple framework: any substantial cyber incident suffered by a covered entity must be reported. A substantial cyber incident is defined as an incident that seriously impacts operations, including the confidentiality, integrity, or availability of information. CISA further proposes the inclusion of any cyber incident that compromises third-party data hosting providers and/or supply chains or contains certain attacks or exploits. CISA, with the EHR Association’s full support, does not believe the tactics, techniques, and procedures (TTP) used to perpetuate an incident are relevant to determining when an incident is substantial.

The flexibility of CISA’s proposed language encompasses a broad range of disruptions while excluding those with limited scope or impact:

• A denial-of-service (DoS) attack that blocks patients from accessing services for an extended period would count as a substantial cyber incident, while a DoS attack that briefly blocks a public-facing website might not. 
• Unauthorized access to business systems using compromised credentials from a managed service provider would count as a substantial cyber incident, but not when security systems block a single user’s compromised credentials from granting unauthorized access. 

The EHR Association appreciates the clarity of language in this section but suggests stronger phrasing to further reduce unnecessary reporting of minor incidents. In the criterion including supply chain compromises, we recommend adding situations involving an exploitation of relied-upon open-source software vulnerabilities. Highlighting known vulnerabilities in widely used but overlooked software is crucial for developing effective strategies to mitigate such risks. 

The EHR Association appreciates the clarity of language in this section but suggests stronger phrasing to further reduce unnecessary reporting of minor incidents.

Sector-Based Criteria (Who Must Report)

A common refrain across sectors is the desire for “definitional clarity,” i.e., a clear answer to the question, “Am I supposed to report this?” CISA sought to balance comprehensiveness with practicality by including both size and sector criteria or any entity that is especially (a) large or (b) at risk. Large businesses are those that exceed the Small Business Size Regulations criteria established by the Small Business Association (SBA). Those at risk are from a modified list of critical infrastructure sectors. 

“In light of the sector’s broad importance to public health, the diverse nature of the entities that compose the sector, the historical targeting of the sector, and the current lack of required reporting unrelated to data breaches or medical devices, CISA proposes requiring reporting from multiple parts of this sector.”

In the Emergency Medical Services and Healthcare sectors, CISA suggests impact thresholds for required reporting by proposing an overall size-based criterion based on the SBA standards. While clinics, surgical centers, and hospices all provide vital services, CISA proposes limiting required reporting to larger hospitals whose greater risks are balanced by greater resources, and critical access hospitals whose disruption would disproportionately impact those within its rural service area. Additionally, any manufacturer of Class II or III devices or certain crucial medicines are covered entities. CISA points out in its “Interpretation of Sector-Based Criteria Coverage” that they count applicable criteria (services, manufacture, etc.) regardless of what sector an entity self-identifies as. 

CISA’s goal is to collect data about the targets and tactics of cyber attacks. Its rationale is that larger hospitals, and other large entities that play a critical role in the operations of the healthcare system, have a greater likelihood of experiencing significant impacts if they fall victim to a significant cyber incident, yet are also more likely to have in-house or accessible cyber expertise to respond to and report an incident. Focusing the reporting obligation on large entities avoids placing a disproportionate burden on smaller healthcare organizations, which are already facing operational challenges with limited resources, and potentially diverting critical attention away from patient care and essential services. 

CIRCIA Report Proposed Content (How to Report)

As with any collection and analysis of vast sums of data, there is paperwork. When a covered entity suffers a significant cyber incident, it must report the initial incident within 72 hours of its discovery or within 24 hours of paying a ransom. Certain entities that are already subject to mandatory reporting of the same incidents to other Federal agencies may be exempt, but only if standards of inter-agency cooperation have already been met. 

“CISA has sought to balance the critical need for timely reporting with the potential challenges associated with rapid reporting in the aftermath of a covered cyber incident.”

The EHR Association joins many other commenters in recommending that CISA require minimal detail at the initial reporting deadline to avoid diverting resources from response efforts. 

CISA acknowledges that the amount of information a reporting entity knows by the reporting deadline will be limited. The proposed rule includes certain mandatory updates or supplemental reports, such as significant new information becoming available. The EHR Association joins many other commenters in recommending that CISA require minimal detail at the initial reporting deadline to avoid diverting resources from response efforts. 

While CISA collected many recommendations for the optimal formatting and submission of these incident reports, we urge them to ensure it has the flexibility to accommodate the likely constraints of time, information, and resources.

The Goal of Effective and Feasible Regulations

The proposed reporting requirements under CIRCIA represent a significant step forward in cybersecurity preparedness, particularly in the healthcare sector. The EHR Association supports the clear framework outlined by CISA, recognizing its potential to foster timely reporting and better incident response. However, it is crucial to refine specific areas to avoid placing unnecessary burdens on smaller organizations and to ensure effective communication in the face of cyber incidents. 

By striking a balance between thorough reporting and practical implementation, CISA positions itself to strengthen our collective defenses against evolving cyber threats. We remain committed to continued collaboration between industry and government to ensure regulations are effective and feasible for our stakeholders and the healthcare organizations and providers we serve.