Healthcare groups say cyber rule should explicitly name insurers, vendors

Healthcare and hospital groups have said the proposed Cybersecurity and Infrastructure Security Agency (CISA) rule should include insurers and third-party vendors. Current proposals require critical infrastructure companies to report cyber incidents within 72 hours of discovery and document ransom payments within 24 hours. Critics argue that sector-specific reporting criteria should include insurance companies, health IT providers, and labs or diagnostic facilities, as disruption to one company could affect the entire sector.