Health care industry pushes back against cybersecurity proposal – Axios
Illustration: Lindsey Bailey/Axios
A proposed rule that would require the nation's most critical industries to more quickly report cyberattacks is raising the ire of the health care industry, which claims the new directives could actually hinder its response in a crisis.
Why it matters: Cyberattacks have sent shockwaves across the health care industry, but regulators and providers don't agree on how to get a handle on the problem.
Driving the news: The comment period for new rules surrounding cyberattacks, which closed last Wednesday, illustrates that division.
CISA says the agency isn't learning about many cyberattacks in a timely way, making it difficult to not only quickly help victims but also spot trends and warn other companies about known vulnerabilities.
What they're saying: The proposal would require "a description of the covered entity's security defenses" defining their entire security architecture, the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security stated in a letter to CISA's director.
Between the lines: Organizations also raised concerns that reporting requirements did not appear to be harmonized across government agencies, with worries that a CIRCIA report might trigger the need for a breach report under HIPAA, the Medical Group Management Association wrote to the agency.
Worth noting: Groups also raised particular concerns about a proposed enforcement mechanism included in the proposal to penalize organizations that don't comply with the law in a timely fashion.
What to watch: It's not clear how the reversal of the "Chevron deference" doctrine will impact this rule-making process.
What's next: CISA will have 18 months to issue a final rule, taking into account not just comments from the health care industry but other sectors that would be impacted by the rules.
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
A proposed rule that would require the nation's most critical industries to more quickly report cyberattacks is raising the ire of the health care industry, which claims the new directives could actually hinder its response in a crisis.
Why it matters: Cyberattacks have sent shockwaves across the health care industry, but regulators and providers don't agree on how to get a handle on the problem.
Driving the news: The comment period for new rules surrounding cyberattacks, which closed last Wednesday, illustrates that division.
CISA says the agency isn't learning about many cyberattacks in a timely way, making it difficult to not only quickly help victims but also spot trends and warn other companies about known vulnerabilities.
What they're saying: The proposal would require "a description of the covered entity's security defenses" defining their entire security architecture, the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security stated in a letter to CISA's director.
Between the lines: Organizations also raised concerns that reporting requirements did not appear to be harmonized across government agencies, with worries that a CIRCIA report might trigger the need for a breach report under HIPAA, the Medical Group Management Association wrote to the agency.
Worth noting: Groups also raised particular concerns about a proposed enforcement mechanism included in the proposal to penalize organizations that don't comply with the law in a timely fashion.
What to watch: It's not clear how the reversal of the "Chevron deference" doctrine will impact this rule-making process.
What's next: CISA will have 18 months to issue a final rule, taking into account not just comments from the health care industry but other sectors that would be impacted by the rules.
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
