By Jeff Wardon, Jr., Assistant Editor

Cyber incidents and ransomware attacks continue to mount as healthcare organizations grapple with the attacks and the aftereffects. In light of these attacks, the U.S. government recently issued a proposed rule on reporting cyber incidents. 

The proposed rule from the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) aims to enforce cyber incident reporting mandates under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The objective is to strengthen the agency's capacity to thwart cyberattacks and extend aid to affected parties.  

Under the rule, critical infrastructure entities, such as healthcare facilities, would be obligated to notify the federal government of qualifying cyber incidents within 72 hours and ransom payments within 24 hours. CISA is accepting comments on the proposed rule for 60 days after its appearance in the April 4 edition of the Federal Register. 

Related: Managed Service Providers: An Alternative to In-House IT

The proposed rule comes in response to the growing number of cyber incidents affecting the healthcare industry. In 2023, Comparitech found 539 confirmed ransomware attacks on U.S. healthcare organizations since 2016. Those attacks cost an estimated $77.5 billion from downtime alone.  

The study also found that ransomware amounts vary from $1,600 to $10 million. Hackers demanded more than $39 million in 34 attacks and received payment in 31 out of 160 cases — approximately 19.4 percent — where the healthcare organizations disclosed if they made the payment or not.  

Jeff Wardon, Jr. is the assistant editor for the facilities market.