Healthcare industry rails against CISA's 'redundant' and 'burdensome' cyber incident reporting proposal
Fierce Healthcare
|
Summary
Healthcare industry groups, including hospitals, insurers, and information management executives, have voiced strong objections to the Cybersecurity and Infrastructure Security Agency’s (CISA) proposed rule for cybersecurity incident reporting. The rule, designed to enhance and expedite reporting for entities deemed critical infrastructure under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), is criticized for its redundancy with existing federal regulations and the significant burden it places on organizations already managing cyberattacks. Industry representatives argue that the 72-hour reporting requirement is excessive and diverts essential resources during crises. They also express concerns over the substantial data retention mandates and the potential risks associated with sharing sensitive cybersecurity strategies. Calls for simplified, harmonized regulations are widespread, with suggestions to expand or clarify the rule’s scope to include more third-party vendors directly involved in the healthcare ecosystem.
