March 28, 2024

Proposed federal rule would require hospitals, health systems to report cyberattacks

Editor's Note

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) proposed a new rule that would require hospitals and health systems to report any cyberattacks or ransomware attacks to the agency within 72 hours and any ransomware payments within 24 hours. 

The healthcare sector is one of the most prominent victims of cyberattacks, which are on the rise. According to the American Hospital Association, US healthcare organizations were hit by 1,410 weekly cyberattacks per organization in 2022, up 86% from 2021.

Announced on March 27, the new rule is intended to streamline CISA’s ability to respond quickly to cyberattacks, track threats, and spot trends in online criminal activity. According to the agency, the new guidelines would require hospitals and healthcare systems to respond under these timeframes to “any covered cyber incidents, ransom payments made in response to a ransomware attack, and any substantial new or different information discovered related to a previously submitted report.”

The agency is providing 60 days for public feedback on both the proposed rule and the implementation of the new reporting requirements.

Live chat by BoldChat