America’s Essential Hospitals on July 2 submitted comments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on the proposed rule for the Cyber Incident Reporting Act.
The rule would require covered entities across critical infrastructure sectors, including health care and public health, to submit a Covered Cyber Incident Report to CISA no later than 72 hours after the entity believes the covered cyber incident has occurred and submit Ransom Payment Reports no later than 24 hours after payment has been disbursed.
According to the proposed rule, CISA would use the data it receives for trend and threat analysis, incident response and mitigation, and developing strategies to improve resiliency.
In comments, the association urged CISA to:
- Clarify definitions used in the rule to ensure efficient, accurate reporting.
- Provide more time and flexibility for essential hospitals to implement reporting requirements.
- Provide a more streamlined and phased reporting process.
Contact Director of Policy Rob Nelb at rnelb@essentialhospitals.org or 202.585.0127 with questions.