Hospitals and health systems may soon need to report a cybersecurity incident to the federal government within 72 hours and ransom payments within 24 hours.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency proposed a new rule March 27. The rule states that covered entities, including hospitals and health systems, must "report to CISA within certain prescribed timeframes any covered cyber incidents, ransom payments made in response to a ransomware attack, and any substantial new or different information discovered related to a previously submitted report."
The new rule, according to the proposal, aims to enhance CISA's ability to identify trends and track cyber threat activity.
CISA is welcoming feedback on the proposal for 60 days following its publication in the April 4 edition of the Federal Register.