A new cybersecurity reporting rule proposed by the Cybersecurity and Infrastructure Security Agency (CISA) has sparked debate within the health care industry. The rule, which mandates rapid reporting of cyber incidents, aims to enhance national cybersecurity but has met resistance from health care providers concerned about its potential impact on their operations.
Under the proposed regulation, organizations would be required to report cyber incidents within 72 hours and ransom payments within 24 hours. This initiative stems from the Cyber Incident Reporting for Critical Infrastructure Act of 2022, designed to provide CISA with timely information about cyber threats to improve response strategies and alert other entities to vulnerabilities.
However, key health care representatives have voiced their concerns during a recent comment period. The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security argue that the requirements are overly burdensome and could potentially expose sensitive information.
In a joint letter to CISA, these organizations stated, “The proposal would require a description of the covered entity’s security defenses, defining their entire security architecture. This is not only a tremendous amount of information to provide but also a dangerous treasure trove if obtained by bad actors.”
The American Hospital Association has also criticized the ambiguous definition of a “substantial cyber incident,” warning that it could lead to both excessive disclosures and underreporting.
Chelsea Arnone, CHIME’s director of federal affairs, emphasized the need for flexibility, noting, “Health care organizations shouldn’t be penalized by ‘crushing’ requirements at a moment when they are trying to juggle patient care and damage control.”
This debate highlights a broader issue of outdated IT infrastructure within the health care sector. Professor Ciaran Martin, former CEO of the UK’s National Cyber Security Centre, warned that outdated systems are a critical vulnerability. “Ransomware attacks on healthcare are a major global problem,” Martin told the BBC.
Recent cyber incidents underscore the gravity of these vulnerabilities. On June 3, Synnovis, a pathology testing organization for NHS trusts in southeast London, was hacked, leading to the postponement of over 4,000 outpatient appointments and nearly 1,300 elective procedures. Similarly, KBC Zagreb, Croatia’s largest medical facility, suffered a cyberattack that forced a temporary reversion to manual operations.
In response to such threats, the European National Crime Agency has partnered with private organizations like Trellix and Spamhaus to dismantle infrastructure supporting cybercriminals. Recently, they successfully took down nearly 600 servers hosting illegal copies of Cobalt Strike, a tool frequently used by cyber offenders.
The ongoing debate over the proposed CISA rule underscores a critical dilemma: balancing the need for transparency and rapid response with the practical realities and constraints of health care operations. As discussions continue, the urgency of bolstering cybersecurity measures in the health care sector remains clear.
News Sources
- 1 Big Thing: Pushback on Proposed Cyber Rules
- NHS cyber security: Ex security chief warns of future attacks
- London hospitals cyber attack sees over 1,000 NHS ops postponed
- Croatian hospital’s data leaked on dark web after cyberattack
- The Wiretap: This Company Raised $21 Million To Build An AI Assistant For Data Breach Investigations
Assisted by GAI and LLM Technologies
Source: HaystackID
