MGMA comments on cyber incident reporting proposed rule (July 3, 2024)

July 3, 2024 

The Honorable Jen Easterly
Director
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
1110 North Glebe Road
Arlington, VA 20598-0630

Re: Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements, 89 FR 23644

Dear Director Easterly:

On behalf of our member medical group practices, the Medical Group Management Association (MGMA) is pleased to provide the following comments in response to the Cybersecurity and Infrastructure Security Agency (CISA) proposed cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA proposes to institute reporting requirements for significant cyber events for critical infrastructure sectors including healthcare. We appreciate the agency’s attention to this issue and ongoing work to enhance cybersecurity capabilities within the healthcare industry.

With a membership of more than 60,000 medical practice administrators, executives, and leaders, MGMA represents more than 15,000 medical group practices ranging from small private medical practices to large national health systems, representing more than 350,000 physicians. MGMA’s diverse membership uniquely situates us to offer the following policy recommendations.

As harmful cyberattacks continue to impact a multitude of sectors in this country, we understand CISA’s need for timely information related to attacks to mitigate threats, increase risk awareness, and support national security. CIRCIA was enacted to balance gathering cyber incident reporting quickly, while not imposing burdensome reporting requirements on organizations suffering from a cyberattack. While we appreciate CISA’s work on this issue and the opportunity to offer feedback, we have considerable concerns about instituting burdensome, confusing, and duplicative reporting requirements that may impact medical groups’ ability operate effectively, especially in the midst of a significant cyber incident.
 

View the full letter