FAH Hospital Policy Blog

Perspectives on health policy affecting America's hospitals and the patients we serve.

Health IT | FAH Policy Blog Team

FAH Urges Flexibility in CISA Cyber Reporting Regulations

Today, FAH submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA) with recommendations for hospitals and other entities that would be required to report cyber incidents to CISA under its: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements Proposed Rule.

FAH comments supported CIRCIA’s goals in providing a comprehensive and coordinated approach to cyber reporting, while urging flexibility for hospitals and other “covered entities.”  

Key recommendations included: 

  • Definitions: Certain terms, such as substantial cyber incidents, should be defined more narrowly to preserve CISA’s ability to quickly analyze and respond to material cyber incidents. 
  • Reporting Time Frame: CISA’s proposed “hours, not days” timeframe for obtaining a “reasonable belief” that an incident has occurred should be extended to allow time for more appropriate analysis and response by the entity and CISA.  
  • Submitting Cyber Reports: Cyber incident reporting should be harmonized among federal and state agencies – when an entity reports to CISA, all other federal and state entities should receive a notification, and the entity would not report the incident multiple times.  
  • Confidentiality: Contents of cyber reports should be confidential except as appropriate to contain a cyberattack.  

Read the letter here.