On July 3, HIMSS responded to the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements proposed rule. HIMSS supports CISA's efforts to enhance incident reporting protocols and believe that clear, practical guidelines are essential for safeguarding health information systems against evolving cyber threats.
HIMSS supports CISA’s proposed definition of a cyber incident and believes the definition effectively describes the types of events that should be reportable, while excluding incidents that do not meet this threshold as well as authorized actions conducted to improve cybersecurity posture, such as security assessments and penetration testing.
While HIMSS understands the reasoning behind CISA’s decision to propose an overall size-based criterion based on SBA small business size standards, we believe that all parts of the Healthcare and Public Health Sector should be working towards stronger cybersecurity resilience and are all vulnerable to cyber-attacks, as such, all cover entities in the sector, no matter their size, should be required to meet the reporting requirement proposed in this rule.
Finally, HIMSS notes that CISA consider the to be included in CIRCIA reports, HIMSS emphasizes the importance of recognizing that the amount of information available to covered entities regarding a covered cyber incident at the 72-hour mark considering a reasonable belief that the covered cyber incident has occurred will be limited.
Read the full comment letter from HIMSS.
The HIMSS policy team works closely with the U.S. Congress, federal decision makers, state legislatures and governments, and other organizations to recommend policy, and legislative and regulatory solutions to improve health through information and technology.