Health Law Highlights

Healthcare Groups Say Cyber Rule Should Explicitly Name Insurers, Vendors

Summary of article from Healthcare Dive, by Emily Olsen:

Healthcare and hospital groups are urging the Cybersecurity and Infrastructure Security Agency (CISA) to explicitly include insurers and third-party vendors in its proposed cybersecurity reporting rule, citing the interconnected nature of the healthcare sector and the potential widespread impact of cyber incidents. The rule, which mandates reporting of cyber incidents within 72 hours and ransom payments within 24 hours, currently does not specify sector-specific criteria for these entities. Industry groups argue that the exclusion could leave significant vulnerabilities unaddressed, as demonstrated by the recent cyberattack on Change Healthcare. They also express concerns over the stringent reporting timelines and the additional burdens they could impose, particularly on under-resourced hospitals. These groups are calling for more flexibility, financial support, and technical assistance to ensure effective incident management without compromising patient care.