Healthcare groups say cyber rule should explicitly name insurers, vendors
healthcaredive.com
|
Contributed by: Drex DeFord
Summary
Healthcare organizations are urging that a proposed federal cybersecurity reporting rule should explicitly include insurers and third-party vendors due to their significant impact on the industry, as highlighted by a major cyberattack on Change Healthcare. The rule, proposed by the Cybersecurity and Infrastructure Security Agency (CISA), requires critical infrastructure companies to report cyber incidents within 72 hours and ransom payments within 24 hours. While CISA did not initially include sector-specific criteria for insurers or labs, industry groups argue that these entities are interconnected with the healthcare sector and that excluding them could result in unreported significant cyber incidents. Organizations like the American Hospital Association and the College of Healthcare Information Management Executives highlighted challenges such as the tight reporting timelines and potential duplicative reports, advocating for flexibility and financial support, especially for under-resourced hospitals.
