Last week, AHCA/NCAL
submitted comments in response to a
proposed rule from the Department of Homeland Security (DHS) that would implement new reporting requirements related to cybersecurity incidents for entities, including healthcare providers, that are considered critical to the nation’s infrastructure. The proposed rule, Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, would require covered entities to report to the Cybersecurity and Infrastructure Security Agency (CISA) information about covered cyber incidents within 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred, and ransom payments made in response to a ransomware attack within 24 hours of the ransom payment being made. The proposed requirements would not be a substitute for other existing provider reporting requirements to other agencies.
While the proposed rule would limit the requirements to acute care hospitals with 100 or more beds and critical access hospitals that “routinely provide the most critical care” in communities, the agency also requested comments on the future expansion of healthcare providers that would be subject to these additional reporting burdens. The AHCA/NCAL comments provided several reasons why the DHS should not apply these requirements to nursing facilities, assisted living residences, or residences for individuals with intellectual and developmental disabilities in future rulemaking.