close
close

AHA comments on CIRCIA’s cyber incident reporting requirements

The AHA submitted comments to the Cybersecurity and Infrastructure Security Agency on July 2 on its proposed rulemaking that establishes cybersecurity incident reporting requirements under the Cyber ​​Incident Reporting for Critical Infrastructure Act. The AHA called the requirements redundant compared to those of other federal agencies and that they place an unnecessary burden on hospitals while maintaining care during a cybersecurity incident. The AHA called on CISA and other agencies to ensure data anonymity across all federal agencies, saying the applicability of the reporting requirements is confusing and called for simplification due to compliance and operational burdens on hospitals as well as privacy risks. The AHA also expressed concern about the proposed rulemaking’s penalties, calling them “vague and potentially severe,” and recommended that CISA revise the rulemaking to encourage collaboration instead.