Premier Responds to Cybersecurity Incident Reporting Proposed Rule

Premier submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA) in response to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements Proposed Rule, which would implement statutory requirements for reporting covered cyber incidents and ransomware payments to CISA. CISA intends to use data gathered through the proposed voluntary reporting program to rapidly deploy resources and render assistance to victims and quickly share information to other entities that may be at risk. In our comments, Premier recommends that CISA consider:

• Clarifying both the definition of “significant” cybersecurity incidents and the scope of information requested by CISA reporting to be more narrow, targeted, impactful and in alignment with other federal cyber reporting programs;
• More precisely defining “covered entities” in order to reduce confusion and simplify compliance across the complexity of healthcare vendor relationships, supply chains and data exchange;
• Ensuring that liability protections for entities reporting cybersecurity events extend through the process of CISA sharing data with other federal agencies; and
• Extending reporting timelines so that affected entities can focus first on addressing the cybersecurity incident at hand, and then on voluntarily reporting details to CISA.