Skip To Navigation Skip To Content Skip To Footer
    Advocacy Letter
    Home > Press Statements & Advocacy Letters > Advocacy Letters

    July 3, 2024 

    The Honorable Jen Easterly
    Director
    Cybersecurity and Infrastructure Security Agency
    U.S. Department of Homeland Security
    1110 North Glebe Road
    Arlington, VA 20598-0630

    Re: Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements, 89 FR 23644

    Dear Director Easterly:

    On behalf of our member medical group practices, the Medical Group Management Association (MGMA) is pleased to provide the following comments in response to the Cybersecurity and Infrastructure Security Agency (CISA) proposed cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA proposes to institute reporting requirements for significant cyber events for critical infrastructure sectors including healthcare. We appreciate the agency’s attention to this issue and ongoing work to enhance cybersecurity capabilities within the healthcare industry.

    With a membership of more than 60,000 medical practice administrators, executives, and leaders, MGMA represents more than 15,000 medical group practices ranging from small private medical practices to large national health systems, representing more than 350,000 physicians. MGMA’s diverse membership uniquely situates us to offer the following policy recommendations.

    As harmful cyberattacks continue to impact a multitude of sectors in this country, we understand CISA’s need for timely information related to attacks to mitigate threats, increase risk awareness, and support national security. CIRCIA was enacted to balance gathering cyber incident reporting quickly, while not imposing burdensome reporting requirements on organizations suffering from a cyberattack. While we appreciate CISA’s work on this issue and the opportunity to offer feedback, we have considerable concerns about instituting burdensome, confusing, and duplicative reporting requirements that may impact medical groups’ ability operate effectively, especially in the midst of a significant cyber incident.
     

    View the full letter


    More Advocacy Letters

    Ask MGMA
    An error has occurred. The page may no longer respond until reloaded. Reload 🗙