Today, FAH submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA) with recommendations for hospitals and other entities that would be required to report cyber incidents to CISA under its: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements Proposed Rule.
FAH comments supported CIRCIA’s goals in providing a comprehensive and coordinated approach to cyber reporting, while urging flexibility for hospitals and other “covered entities.”
Key recommendations included:
- Definitions: Certain terms, such as substantial cyber incidents, should be defined more narrowly to preserve CISA’s ability to quickly analyze and respond to material cyber incidents.
- Reporting Time Frame: CISA’s proposed “hours, not days” timeframe for obtaining a “reasonable belief” that an incident has occurred should be extended to allow time for more appropriate analysis and response by the entity and CISA.
- Submitting Cyber Reports: Cyber incident reporting should be harmonized among federal and state agencies – when an entity reports to CISA, all other federal and state entities should receive a notification, and the entity would not report the incident multiple times.
- Confidentiality: Contents of cyber reports should be confidential except as appropriate to contain a cyberattack.
Read the letter here.