CISA Proposes New Rule on Reporting Cyber Incidents

Proposed rule would give healthcare organizations a timeframe to report cyber incidents and ransomware payments.

By Jeff Wardon, Jr., Assistant Editor

Cyber incidents and ransomware attacks continue to mount as healthcare organizations grapple with the attacks and the aftereffects. In light of these attacks, the U.S. government recently issued a proposed rule on reporting cyber incidents. 

The proposed rule from the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) aims to enforce cyber incident reporting mandates under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The objective is to strengthen the agency's capacity to thwart cyberattacks and extend aid to affected parties.  

Under the rule, critical infrastructure entities, such as healthcare facilities, would be obligated to notify the federal government of qualifying cyber incidents within 72 hours and ransom payments within 24 hours. CISA is accepting comments on the proposed rule for 60 days after its appearance in the April 4 edition of the Federal Register

Related: Managed Service Providers: An Alternative to In-House IT

The proposed rule comes in response to the growing number of cyber incidents affecting the healthcare industry. In 2023, Comparitech found 539 confirmed ransomware attacks on U.S. healthcare organizations since 2016. Those attacks cost an estimated $77.5 billion from downtime alone.  

The study also found that ransomware amounts vary from $1,600 to $10 million. Hackers demanded more than $39 million in 34 attacks and received payment in 31 out of 160 cases — approximately 19.4 percent — where the healthcare organizations disclosed if they made the payment or not.  

Jeff Wardon, Jr. is the assistant editor for the facilities market. 

April 3, 2024

Topic Area: Information Technology , Security

Recent Posts

Suicide Offers Reminder of Need for Hospital Security

The incident did not disrupt patient care.

Cleveland Clinic Implements Flagging System for Violence Prevention: Study

The system flags patients with a history of violence.

Northeast Georgia Medical Center Lumpkin Officially Opens

The new 66,000-square-foot hospital is located in Dahlonega, Georgia.

Group Health Cooperative of South Central Wisconsin Experiences Cyber Incident

The incident happened during the early morning on January 25.

Hospital Websites Too Often Share User Data with Third Parties: Study

User privacy can be compromised by sharing website information with external organizations.


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.