Digital Health Most Wired 2024 Trends Report is now available. Download Report

Washington, DC

CHIME and AEHIS Comments to CISA on CIRCIA Proposed Rule

Date

Wed, Jul 3, 2024, 05:00 AM

Download PDF


July 3, 2024


Submitted via the Federal Rulemaking Portal: http://www.regulations.gov


The Honorable Jen M. Easterly

Director, Cybersecurity and Infrastructure Security Agency

U.S. Department of Homeland Security

245 Murray Lane SW

Washington, DC, 20528


RE: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements

[CISA-2022-0010]


Dear Director Easterly:


The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) appreciate the opportunity to comment on the Cybersecurity and Infrastructure Security Agency’s (CISA) proposed rule required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), as published in the Federal Register on April 4, 2024 (Vol. 89, No. 66, 89 FR 23644).


Background


CHIME is an executive organization dedicated to serving chief information officers (CIOs) and other senior healthcare IT leaders in hospitals, health systems and other healthcare settings across the country. Consisting of more than 2,900 members in 60 countries, our members are responsible for the selection and implementation of clinical and business technology systems that are facilitating healthcare transformation. Launched by CHIME in 2014, AEHIS represents nearly one thousand healthcare security leaders and provides education and networking for senior IT security leaders in healthcare. CHIME and AEHIS members are among the nation’s foremost health IT experts, including on the topics of cybersecurity, privacy and the security of patient and provider data and devices connecting to their networks.


Key Recommendations and Takeaways


CIRCIA, as amended, requires CISA to promulgate regulations implementing the statute’s covered cyber incident and ransom payment reporting requirements for covered entities. CISA is seeking comment on the proposed rule to implement CIRCIA’s requirements and on several practical and policy issues related to the implementation of these new reporting requirements. CHIME and AEHIS are pleased to provide input in response to this proposed rule. Additionally, you can find CHIME and AEHIS’s response to CISA’s 2022 Request for Information (RFI) on the proposed rulemaking here.


CISA is proposing to include in the description of covered entity multiple sector-based criteria related to the Healthcare and Public Health (HPH) Sector. CISA is also proposing requiring reporting from larger hospitals (i.e., those with more than 100 beds) and critical access hospitals (CAHs). Throughout our comment letter, we use the terms HPH Sector, hospitals and healthcare systems, healthcare delivery organizations (HDOs), and providers interchangeably on behalf of our members. As noted, CHIME and AEHIS represent executive and senior healthcare IT leaders within the HPH Sector – specifically in hospitals, health systems and other healthcare settings.


We believe the following areas are especially important for CISA to consider when finalizing this proposed rule:

  • CHIME and AEHIS members believe strongly that cybersecurity is patient safety, and regulatory requirements should not jeopardize their core mission of care.
  • We must continue to move away from a mentality that punishes those that have been victimized by malicious actors and criminals.
  • Our members strongly recommended that DHS and CISA coordinate with other federal agencies with existing jurisdiction – including the U.S. Department of Health & Human Services (HHS), HHS’ Office for Civil Rights (OCR), and the Federal Trade Commission (FTC) – to minimize duplicative cyber incident reporting requirements to the greatest extent possible.
  • CISA's proposed inclusion of "substantial loss of confidentiality" in the definition of a "substantial cyber incident" could add burden on hospitals and healthcare systems by creating duplicative requirements in an existing complicated regulatory framework.
  • As proposed, hospitals and healthcare systems are concerned that OCR may treat a CIRCIA Report as acknowledgment of a data breach – regardless of its actual reportability under the Health Insurance Portability and Accountability Act (HIPAA). Thus, the HIPAA reporting timelines could be triggered upon the submission of a CIRCIA Report, creating potential compliance challenges and additional burdens for our members.
  • Cybersecurity is a shared responsibility, therefore, CISA should clarify that when a substantial cyber incident occurs at the level of a managed service provider or other third-party service provider, if that organization serves, contracts with, or is otherwise legally engaged with any entities in a critical infrastructure sector, that the third-party service provider must be the covered entity to fulfill any and all CIRCIA reporting obligations.
  • This proposal places the onerous solely on our members as covered entities, rather than third-parties – who may or may not be covered entities.
  • Data reporting requirements should be limited to include only what information is minimally necessary, a cybersecurity best practice. This will also facilitate the spirit of CIRCIA – which is sharing threat information to help avert other cyberattacks.
  • As proposed, hospitals and healthcare systems are required to provide detailed and numerous reports during, throughout, and after a substantial cyber incident. Our members believe strongly that the supplemental reporting and timing of “without delay or as soon as possible” will mean that ensuring compliance with these reporting requirements could be prioritized over patient safety.
  • While CHIME and AEHIS appreciate that CISA is proposing to allow for supplemental reporting after a substantial cyber incident – which we supported in our response to the RFI – we have significant concerns.
  • We are recommending that hospitals and healthcare systems must be permitted to submit supplemental reports every 72 hours at minimum, or every five business days. This reporting cadence would be required only when and if substantial new or different information becomes available.
  • CISA is proposing size-based criteria; our members believe that rather than allowing certain entities to “self-assess” if they meet this criteria, CISA must include health insurance companies, third-party administrators (TPAs) of health plans, and healthcare clearinghouses in the HPH Sector-based criteria. We are extremely concerned that if these third-parties are not explicitly “carved-into” the HPH Sector-based criteria, that they may simply self-assess that they do not meet the proposed size-based criteria, and are not subject to CIRCIA.
  • CHIME and AEHIS members have been victims due to cyberattacks on third-party services or breaches affecting their vendors and contractors. There is no greater example of the devastating impact this can have on healthcare than the unprecedented cyberattack on Change Healthcare this year – which is a clearinghouse and unit of a health insurance company – UnitedHealth Group (UHG).
  • These third-parties hold vast quantities of patient data and are integral partners in the healthcare ecosystem. If CISA is to achieve the purpose of CIRCIA, and truly enhance the security and resiliency of the nation’s critical infrastructure, CHIME and AEHIS believe that the final rule must include the above listed third-parties, at minimum.
  • CISA is proposing, under the HPH Sector-based criteria, to include requiring reporting from larger hospitals (i.e., those with more than 100 beds) and CAHs. Certain factors and complexities – as outlined in our comments below – underscore the inadequacy of using a single criterion such as “hospitals with 100 beds or more” to determine hospital size capacity. Rather, we suggest that a more nuanced approach, considering multiple criteria beyond just bed count, to accurately characterize hospital size and capacity.
  • Further, CHIME and AEHIS believe that CISA’s proposed scope to include CAHs is not appropriate at this time. Imposing additional regulatory burdens on rural hospitals could inadvertently increase their financial and operational strain, leading to more closures and reduced access to healthcare – and crucially – could divert resources away from patient care.
  • CISA is proposing to offer a web-based form as the manner of submission of CIRCIA Reports, and our members broadly agree with this approach. However – we strongly believe that covered entities should be able to test the proposed web-based forms before the issuance of the final rule, for all four of the proposed CIRCIA Reports.
  • Our members strongly recommend that CISA implement a sandbox environment version of the web-based forms for each of the Reports well in advance of deploying them for reporting purposes. Initially isolating the forms in a controlled environment so that they can be executed and tested safely without risking any of the overall systems and networks is essential.
  • As our members are executives and senior healthcare IT leaders – we are offering to serve as a resource to CISA throughout this process. They are extremely knowledgeable and have decades of experience executing cybersecurity best practices, as well as real-world experience dealing with the ramifications of cyberattacks. Our members are able and willing to provide input on the forms, and are offering to serve as “beta-testers.”
  • CHIME and AEHIS members are extremely concerned about the proposed § 226.8(d), which would require “a description of the covered entity’s security defenses in place, including but not limited to any controls or measures that resulted in the detection or mitigation of the incident.” If CISA requires hospitals and healthcare systems to define their entire security architecture, that is a tremendous amount of information to include in a report. Our members do not believe that CISA needs to know an entire description of an organization’s security program – as it is not helpful to fulfill the purpose of CIRCIA, is potentially considered intellectual property (IP), and/or sensitive for the organization.
  • Further, if the entire security architecture of a hospital or healthcare system is sent to CISA, it is the most target rich information for bad actors. Our members believe that the other proposed reporting requirements would be more than sufficient for CISA to share necessary threat information.
  • The proposed language “including but not limited to” should be stricken from the final rule and changed to “only including” – so that § 226.8(d) reads “A description of the covered entity’s security defenses in place, only including any controls or measures that resulted in the detection or mitigation of the incident.”
  • This proposal’s lack of details on how, specifically, CISA plans to fulfill fundamental obligations required by CIRCIA, is disappointing, and does not allow for CHIME and AEHIS members to offer meaningful feedback or input. In the proposal, CISA asserts that the information reported to them “will enable CISA to carry out its core statutory responsibilities related to identifying and sharing information on cyber incident trends, TTPs, vulnerability exploitations, campaigns, and countermeasures that may be useful in preventing others from falling victim to similar incidents and preventing similar vulnerability classes in the future.”
  • All of the outcomes and benefits that CISA describes rely on timely, adequate, and bi-directional information distribution. CISA should have provided details in this proposal, specifically regarding how they plan to partner with SRMAs and sector-specific ISACs to determine a plan by which the information will be distributed back to the sectors.
  • The ability to rapidly respond to cybersecurity incidents – and when possible, preventing them – while sharing information with our federal partners is essential to protect hospitals and HDOs.


Overview: The Cybersecurity Landscape in the Healthcare & Public Health (HPH) Sector


Hostile nation states have grown increasingly aggressive with their tactics, attacking hospitals and other healthcare stakeholders daily. This poses an imminent risk to our national defense. Bringing down a hospital or multiple HDOs at once is a risk for the nation and it shakes the confidence and trust of everyday Americans which is precisely what hostile nation states intend. They are looking to exact physical, financial, and psychological harm.


According to a recent Fact Sheet from the White House: “Recent cyberattacks targeting the nation’s healthcare system have demonstrated the vulnerability of our hospitals and payment systems. Providers across the health system had to scramble for funding after one attack on a key payment system. And some hospitals had to redirect care after another. These disruptions can take too long to resolve before full access to needed health care services or payment systems is restored. Cyberattacks against the American healthcare system rose 128% from 2022 to 2023.”


Healthcare data and patient information remain lucrative targets for theft and exploitation, particularly through ransomware attacks. Criminal groups and adversarial nation states utilize tactics, techniques and procedures (TTPs) across our Sector – including large, publicly traded companies with far greater resources than most U.S. hospitals and health systems. Healthcare continues to experience the highest data breach costs of all industries, increasing from $10.10 million in 2022 to $10.93 million in 2023 – an increase of 8.2 percent. Over the past three years, the average cost of a data breach in healthcare has grown 53.3 percent, increasing more than $3 million compared to the average cost of $7.13 million in 2020. As a comparison, the costs for a financial entity to recover from a breach are estimated to be $5.90 million.


Our members are committed to adopting cybersecurity best practices and take their responsibility to protect not only the privacy and security of patient data and devices networked to their system – but critically – their patient’s overall safety and well-being very seriously. Cyber safety is patient safety. Currently, hospitals are forced to balance the challenges of the high cost of cyber insurance, near-constant cyberattack attempts, the inherent risks to their patients, the weaponization of artificial intelligence (AI), and the current workforce shortage needed to mitigate all of these risks.


They are doing their best to navigate an ever increasingly complex cybersecurity landscape, a job that has become infinitely more complicated with managing third-party risk. Hospitals and healthcare systems must offer a wide range of services that require specialized skills and equipment, operate efficiently, and provide high-quality patient care. Thus, they must contract with third-parties – including medical device manufacturers, information and information technology (IT) companies, data storage companies, and others – which inherently introduce risk into their ecosystem. Our members often encounter third-parties that are unwilling to sign HIPAA business associate agreements (BAAs), and/or resist acceptance of appropriate levels of liability that recognize the great amounts of protected health information (PHI) they process and maintain.


While healthcare providers exercise due diligence processes when selecting third-party solutions or offerings, as well as ensure that sufficient administrative safeguards are in place, they are forced to deal with an overall lack of third-party willingness to offer indemnification clauses (i.e., "hold harmless") or limitations of liability in case of data breaches. If any limitation of liability is included, it is woefully inadequate. Thus, a disproportionate amount of risk is shouldered by providers.


According to HHS’ OCR, “Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.”In 2022, there were 707 data breaches, more than half of which occurred against third party service providers that handle PHI.


Additionally, the costs of delivering care continue to increase at an unsustainable rate. While all subsectors in healthcare are feeling cost pressures, HDOs are facing:

  • Increasing operating costs such as inflation and labor shortages;
  • Impact of cybersecurity events such as ransomware and data breaches;
  • Continued downward pressure on hospital, physician practice, and smaller HDO reimbursements; and the
  • Push from “Fee for Service” to “Value-Based” contracts.


These factors in turn drive increased mergers, acquisitions, & divestitures (MA&D) and consolidation activities; focus on cost reduction; closures / reduced options for health services, especially in rural areas; and an increase in out-of-data / out-of-support vulnerable technologies. Nevertheless, CHIME and AEHIS members undertake and devote significant resources to securing their networks and systems because they are truly committed to the health, well-being, and safety of patients in the communities they serve.


Like nearly all organizations in the United States, hospitals and HDOs must care – to some degree – about their ability to generate positive net revenue in order to keep their doors open. However, they are unlike other organizations in that their first and most important mission is to care for their patients. Hospitals and healthcare systems are not only critical to the communities in which they serve, they are also often the largest employers.


We must continue to move away from a mentality that punishes those that have been victimized by malicious actors and criminals. Cybersecurity is a shared responsibility; however, without additional assistance, many of our members are limited in what they can do.


Cyber Incident, Covered Cyber Incident, and Substantial Cyber Incident – Definitions


CISA is proposing to include in the regulation a definition of the term cyber incident. The definition of cyber incident is important as it will help bound the types of incidents that trigger reporting requirements for covered entities under the proposed regulation. CISA is proposing to define cyber incident to mean an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system. CHIME and AEHIS broadly agree with this definition.


CIRCIA requires CISA to include within the proposed rule a definition for the term covered cyber incident. Because CIRCIA requires covered entities to report only those cyber incidents that qualify as covered cyber incidents to CISA, this definition is essential for triggering the reporting requirement. CISA is proposing to define the term covered cyber incident to mean a substantial cyber incident experienced by a covered entity. CHIME and AEHIS broadly agree with this proposed approach.


Within CIRCIA, Congress defined a covered cyber incident as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 681b(b) of this title.” CISA believes that defining a covered cyber incident to include all substantial cyber incidents experienced by a covered entity rather than some subset thereof is both consistent with the statutory definition of covered cyber incident and is the least complicated approach to defining covered cyber incidents.


Under this approach, a covered entity simply needs to determine if a cyber incident is a substantial cyber incident for it to be reported, rather than having to perform an additional analysis to determine if a substantial cyber incident meets some narrower criteria for a covered cyber incident. As the term substantial cyber incident is not used in CIRCIA other than to help define a covered cyber incident, CISA does not see any benefit to having one set of requirements for what constitutes a substantial cyber incident and a separate set of requirements for which substantial cyber incidents experienced by a covered entity qualify as covered cyber incidents. CHIME and AEHIS broadly agree with this approach.


CISA is proposing to include within the rule a definition for the term substantial cyber incident. Given CISA’s proposal to define a covered cyber incident as a substantial cyber incident experienced by a covered entity, CISA notes that the term substantial cyber incident is “essential to the CIRCIA regulation as it identifies the types of incidents that, when experienced by a covered entity, must be reported to CISA.”


While CIRCIA does not define the term substantial cyber incident, it provides minimum requirements for the types of substantial cyber incidents that qualify as covered cyber incidents. Consistent with these minimum requirements, CISA proposes the term substantial cyber incident to mean:


a cyber incident that leads to any of the following: (a) a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network; (b) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes; (c) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or (d) unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.


CISA is further proposing that a substantial cyber incident resulting in one of the listed impacts include any cyber incident regardless of cause, including, but not limited to, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.


CHIME and AEHIS members would be remiss if we did not point out that, as proposed, the definition of a “substantial cyber incident” seems to exclude the largest cyberattack on the healthcare sector to date. This is for several reasons; it is unclear if the unprecedented cyberattack on UHG/Change Healthcare would have been required to be reported under CIRCIA, if the final rule was in effect at the time. We are unable to ascertain that Change Healthcare would have fallen under or met the size-based criteria, and they are not specifically included in the sector-based criteria for the HPH Sector. Our members outline these concerns in further detail below.


As CISA notes, “confidentiality” refers to “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [emphasis added].” CHIME and AEHIS members have concerns about the use of the term “confidentiality” as it is proposed to be included in the definition of “substantial cyber incident”, as well as in the first of the four impact prongs (Substantial Loss of Confidentiality, Integrity, or Availability). “Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes [emphasis added].”


Further, the 405(d) Program, as mandated by Congress in the Cybersecurity Act of 2015, has already established a minimum set of voluntary cyber hygiene practices. Additionally, in P.L. 116-321 Congress defined “recognized security practices” to be:

the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).


As identified in the statute’s definition, there are several standards, best practices and procedures currently in place and currently relied on by healthcare providers to implement enterprise risk management best practices. We strongly supported and endorsed this law as it incentivizes the adoption of cybersecurity practices by acknowledging that providers who have been acting in good faith should not be penalized by OCR.


As CISA notes in the proposed rule, “the concepts of confidentiality, integrity, and availability (CIA), often referred to as the “CIA triad,” represent the three pillars of information security.” The proposal cites definitions from a National Institute of Standards and Technology (NIST) publication, noting that “confidentiality” refers to “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” “Integrity” refers to “guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity,” and “availability” refers to “ensuring timely and reliable access to and use of information.” However, from the perspective of our members, these principles often overlap and sometimes conflict, requiring thoughtful implementation of any new cybersecurity policies.


Furthermore, as noted in the NIST Cybersecurity Framework (CSF) 2.0 – cybersecurity and privacy are independent disciplines, although their objectives can overlap in certain circumstances. As the NIST Privacy Framework states: “Having a general understanding of the different origins of cybersecurity and privacy risks is important for determining the most effective solutions to address the risks.”


Hospitals and healthcare systems are already subject to multiple overlapping reporting requirements for cyber incidents resulting in “a substantial loss of confidentiality.” These requirements come in the form of state data privacy laws and the reporting requirements under HIPAA – discussed further below. The inclusion of confidentiality incidents within the definition of a “substantial cyber incident” creates an additional duplicative reporting requirement for this class of incidents. These existing reporting requirements have unique timelines attached to different trigger points, and hospitals and healthcare systems will need to evaluate if a CIRCIA Report triggers reporting requirement timelines under HIPAA prematurely.


Further, substantial confidentiality incidents may derive from insubstantial cyber events. Many records might be exposed from the compromise of an email account, a misdirection of records, or a configuration error. These types of incidents represent substantial data confidentiality breaches, but there is not valuable intelligence on threat actor TTPs. Therefore, the inclusion of confidentiality in the definition of “substantial cyber incident” may result in a volume of low value reports that increase burden on hospitals and healthcare systems, as well as CISA staff without meeting the intent or deriving the value intended from CIRCIA. The primary purpose of CIRCIA is to help preserve national security, economic security, and public health and safety – as well as to assist the Federal government in understanding the cyber threat landscape and enabling the timely sharing of information to enhance cyber resilience.


Thus, as CISA is proposing to include in the definition of “substantial cyber incident” a cyber incident that leads to “a substantial loss of confidentiality,” we respectfully request that CISA recognize that this could inadvertently implement an additional set of burdensome practices for hospitals and healthcare systems – adding to the fragmented, complex regulatory frameworks that our members already must comply with. CHIME and AEHIS strongly believe that CISA should not adopt policies that inadvertently create overly duplicative requirements, penalize healthcare providers unfairly, and add burden to an already highly regulated industry.


Minimum Requirements for a Cyber Incident to be a Substantial Cyber Incident


The proposed definition contains the following elements: (1) a set of four threshold impacts which, if one or more occur as the result of a cyber incident, would qualify that cyber incident as a substantial cyber incident; (2) an explicit acknowledgment that substantial cyber incidents can be caused through compromises of third-party service providers or supply chains, as well as various techniques and methods; and (3) three separate types of incidents that, even if they were to meet the other criteria contained within the substantial cyber incident definition, would be excluded from treatment as a substantial cyber incident. Ultimately, CISA is proposing four types of impacts that, if experienced by a covered entity as a result of a cyber incident, would result in the incident being classified as a substantial cyber incident and therefore reportable under the CIRCIA regulation. Each of these impact types is described in its own prong of the substantial cyber incident definition.


CHIME and AEHIS believe that CISA should clarify that when a substantial cyber incident occurs at the level of a managed service provider or other third-party service provider, if that organization serves, contracts with, or is otherwise legally engaged with any entities in a critical infrastructure sector, that the third-party service provider must be the covered entity to fulfill any and all CIRCIA reporting obligations. From an operational viewpoint, the covered entity that experiences the substantial cyber incident would be the organization that would have the necessary information to complete any of the CIRCIA Reports, as proposed. Additionally, the third-party service provider would likely – or be expected to be aware of – the incident before its customers or other contracted organizations.


Guidance for Assessing Whether an Impact Threshold is Met


When evaluating whether a cyber incident meets one of the four proposed impact thresholds that would qualify it as a substantial cyber incident, CISA notes that a covered entity should keep in mind several principles. First, an incident needs to meet only one of the four prongs, not all four of the prongs, for it to be a substantial cyber incident. While not ideal, it is fairly straightforward proposal, and thus, we agree with this approach.


For an incident to qualify as a substantial cyber incident, CISA interprets CIRCIA to require the incident to “actually result” in one or more of the impacts described. CHIME and AEHIS broadly agree with this approach.


Additionally, CISA is proposing that the type of TTP used by an adversary to perpetrate the cyber incident and cause the requisite level of impact is typically irrelevant to the determination of whether an incident is a substantial cyber incident. CHIME and AEHIS broadly agree with this approach.


CISA has elected not to limit the definition of substantial cyber incident to impacts to specific types of systems, networks, or technologies. CHIME and AEHIS broadly agree with this approach.


CISA is aware that in some cases, a covered entity will not know for certain the cause of the incident within the first few days following the occurrence of the incident. CISA is proposing that a covered entity does not need to know the cause of the incident with certainty for it to be a reportable substantial cyber incident. CHIME and AEHIS broadly agree with this approach.


CISA states that: “For incidents where the covered entity has not yet been able to confirm the cause of the incident, the covered entity must report the incident if it has a “reasonable belief” that a covered cyber incident occurred. If an incident meets any of the impact-based criteria, it would be reportable if the covered entity has a “reasonable belief” that the threshold impacts occurred as a result of activity without lawful authority, even if the specific cause is not confirmed.” CHIME and AEHIS members have concerns regarding this proposal and the fourth prong, as outlined below.


As proposed, we reiterate our concerns regarding the reporting timelines for a "confidentiality" breach, and the conflicting timelines for reporting under CIRCIA and HIPAA. Data breach reporting under HIPAA is based on the confirmation of a data breach: “A covered entity must notify the Secretary if it discovers a breach of unsecured protected health information.” As proposed, CIRCIA reporting is based on "reasonable belief." The very real risk and burden to hospitals and healthcare systems is that OCR may treat a CIRCIA Report as acknowledgment of a data breach – regardless of its actual reportability under HIPAA. Consequently, the HIPAA reporting timelines could be triggered upon the submission of a CIRCIA Report, creating potential compliance challenges and additional burdens for our members. In essence, the CIRCIA Report could prematurely initiate the HIPAA reporting obligations timeline, leading to confusion and undue administrative strain.


Furthermore, under HIPAA, a covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If a breach of unsecured PHI affects 500 or more individuals, a covered entity must notify the HHS Secretary of the breach without “unreasonable delay” and in no case later than 60 calendar days from discovery of the breach. In other words, any CIRCIA Report could be seen as acknowledgment of a data breach under HIPAA, and the reporting obligations timeline under HIPAA would begin. Hospitals and healthcare systems would then be forced to balance obligations and differing timelines under two regulatory regimes – CIRCIA and HIPAA.


CISA is specifically proposing that: “For the fourth prong, a reasonable belief that unauthorized access was caused by a third-party provider or a supply chain compromise would be sufficient to trigger a reporting obligation, even if the cause of the cyber incident was not yet confirmed.” This proposal puts the burden of “reasonable belief” and the legal requirement solely on the hospital or healthcare provider that they must report an unconfirmed cyber incident caused by a third-party.


Crucially, there are many third-parties in the healthcare ecosystem that our members contract with who would not be considered “covered entities” under this proposal, and therefore, would not be obligated to share or disclose that there had been a substantial cyber incident – or any cyber incident at all. The subjective nature of "reasonable belief" could potentially be exploited by third-parties, allowing individuals or organizations – covered entities or not – to justify their actions, or inactions. Additionally, should there be a substantial cyber incident on a third-party that is widely used in the HPH Sector, multiple providers could be impacted, resulting in multiple reports required to CISA.


CISA states that: “Timely reporting is of the essence for CISA to be able to quickly analyze incident reports, identify trends, and provide early warnings to other entities before they can become victims.” We agree that timely reporting will be critical to allow for CISA to provide early warnings to other entities before they can become victims, the onerous being placed solely on our members as covered entities, rather than third-parties who may or may not be covered entities, is extremely short-sighted. Additionally, data reporting requirements should be limited to include only what information is necessary to facilitate the spirit of the law which is sharing threat information to help avert other cyberattacks.


CIRCIA Reports


CISA is proposing to include in the regulation a definition of the term CIRCIA Report. CIRCIA requires a covered entity to submit (either directly or through a third party) a report to CISA when it reasonably believes a covered cyber incident occurred, makes a ransom payment, or experiences one of a number of circumstances that requires the covered entity to update or supplement a previously submitted Covered Cyber Incident Report. These reports are called Covered Cyber Incident Reports, Ransom Payment Reports, and Supplemental Reports, respectively.


CIRCIA additionally allows covered entities that make a ransom payment associated with a covered cyber incident to submit a single report to satisfy both the covered cyber incident and ransom payment reporting requirements. CISA is proposing to call this joint submission a Joint Covered Cyber Incident and Ransom Payment Report. Additionally, CISA is proposing a term, CIRCIA Report, to be an umbrella term that encompasses all four types of covered entity reports collectively.


Our members – hospitals and health care systems – are already required to comply with a myriad of both state and federal cyber, security, and privacy data breach reporting requirements. These include federal authorities and requirements under the HIPAA (including amendments to HIPAA made under the Health Information Technology for Economic and Clinical Health (HITECH Act) regulations. Specifically, the HIPAA Breach Notification Rule, as well as the HITECH Act’s additional data breach reporting requirements to HHS’ OCR, as well as the FTC’s Health Breach Notification Rule.


Additionally, the Cybersecurity Information Sharing Act of 2015 marked a significant milestone by authorizing healthcare information threat sharing in certain situations. Nevertheless, healthcare organizations remain hesitant, fearing violations of HIPAA regulations and substantial reputational damage. Despite the potential reputational harm from a HIPAA breach, it is crucial for providers to share threat information to prevent potentially catastrophic patient safety incidents. Nonetheless, CHIME and AEHIS believe that to the degree possible, any duplicative reporting that is currently required under other federal policies should be avoided.


CISA states in the proposed rule:


Unfortunately, entities within [the HPH] sector routinely experience cyber incidents, with U.S. healthcare entities experiencing the seventh most cyber incidents of any industry in 2022. Many entities within the sector currently are required to report certain cyber incidents to HHS under the HIPAA Breach Notification Rule and to the Federal Trade Commission under the HITECH Act Health Breach Notification Rule; however, those requirements are generally focused solely on data breaches and do not require reporting of other types of cyber incidents that do not involve unauthorized acquisition of or access to personal health information.


In 2023, OCR reported a 239 percent increase in hacking-related data breaches between January 1, 2018, and September 30, 2023, and a 278 percent increase in ransomware attacks over the same period. In 2019, hacking accounted for 49 percent of all reported breaches. In 2023, 79.7 percent of data breaches were due to hacking incidents. Even HHS cited a cohort study which concluded that ransomware attacks targeting HDOs doubled from 2016 to 2021. Hospitals and healthcare systems are among the entities within the HPH sector that are required to report certain cyber incidents to HHS – and we agree with CISA that “these requirements are generally focused solely on data breaches.” However, the vast majority of data breaches would also now fall under the definition of a “substantial cyber incident” as proposed.


In our response to CISA’s RFI, CHIME and AEHIS urged significant consideration and clarification in this proposed rule regarding the intersection and existing federal and state laws, regulations, and oversight. We strongly recommended that the DHS and CISA coordinate with other federal agencies with existing jurisdiction – including HHS, OCR, and the FTC – to minimize duplicative cyber incident reporting requirements to the greatest extent possible.


To reduce the burden on hospitals and healthcare systems, we strongly encouraged CISA to align with and leverage existing federal cyber incident and data breach reporting requirements for consistency. Reputational harm and higher information technology labor investment due to the remediation of data breaches is already an added cost to the impacted hospital and/or healthcare system. CHIME and AEHIS are disappointed that while we previously encouraged CISA to implement the reporting exemption for covered entities that submit cyber incident reports with substantially similar information to other Federal departments and agencies, within a substantially similar timeframe – they have not proposed to do so.


Additionally, CIRCIA does not preempt state data breach notification laws, and it is unclear if CISA will engage state entities to harmonize CIRCIA reporting requirements with existing state laws. We are aware of existing state laws which would further complicate and burden our members without action from CISA. For example, Utah’s recently enacted “The Protection of Personal Information Act”, found at Utah Code 13-44-101, et seq., requires any non-government entity which conducts business in the State of Utah to prevent the unlawful use or disclosure of personal information collected by the organization.


If an organization that owns or maintains personal information of a Utah resident becomes aware of a breach of system security, that company must conduct an investigation to determine if the personal information has been or will be misused. If the investigation indicates that the misuse has occurred or is likely to occur, the organization must notify every affected Utah resident. If the misuse relates to 500 or more Utah residents, the organization must also provide notification to the Utah Attorney General's Office and the Utah Cyber Center.


“All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses […] to notify individuals of security breaches of information involving personally identifiable information. Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data or information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).”


Further, “at least 40 states, Guam, Puerto Rico and Washington, D.C., introduced or considered more than 500 bills or resolutions that deal significantly with cybersecurity. Thirty-nine states, Puerto Rico, and Washington, D.C., enacted at least 130 bills and adopted at least 10 resolutions in 2023.” Consequently, it will be incumbent upon CISA to proactively – and on an ongoing basis – engage with state entities to ensure harmonization, to the greatest extent possible, of the CIRCIA reporting requirements with existing state laws.


Covered Cyber Incident Report


CISA is proposing to include in the regulation a definition of the term Covered Cyber Incident Report. CIRCIA requires a covered entity that experiences a covered cyber incident to report that incident to CISA. CISA is proposing to refer to this type of report as a Covered Cyber Incident Report and to define that term to mean a submission made by a covered entity or a third party on behalf of a covered entity to report a covered cyber incident. CISA is further proposing that a Covered Cyber Incident Report also includes any additional, optional information submitted as part of a Covered Cyber Incident Report. CHIME and AEHIS broadly support this proposed approach. However, our concerns regarding the proposed Covered Cyber Incident Report Specific Content are detailed further in this letter.


To read full letter, download the PDF

Download PDF

Recommended for you

  1. post

    CHIME AI principle

    Unveiling the Future of Healthcare with CHIME's AI Principles

    Jul 30, 2024

    CHIME's AI Principles serve as a beacon, promoting patient safety, administrative efficiencies, regulatory oversight, innovation, and equity.

    Read more

  2. audio

    CC Chimecast -Taglines

    Ep 2: Building a Culture of Innovation: The Leader's Blueprint

    Jul 31, 2024

    Learn about the human elements that drive technological deployment, the impact of mobile medicine in today's hybrid healthcare models, how strategic collaborations are reshaping healthcare delivery.

    Listen now

  3. post

    Imprivata-TLRT-graphic-copy

    TLRT: Responsible AI and the Evolving Role of the Healthcare Contact Center

    Jul 24, 2024

    Deploying AI in a responsible and effective manner within the healthcare contact center will require careful planning, strong governance, and a clear perspective on what consumers really want.

    Read more

  4. post

    CIO Boot Camp Card Image

    A Strategic Fusion of Excellence & Collaboration for CHIME Foundation Firms: 2023 CHIME Awards  

    Nov 28, 2023

    To acknowledge the partnerships between providers and the industry, CHIME recently recognized several of the nation's top digital health leaders and professional solutions and services firms.  

    Read more