Industry Updates: EU AI Act and CIRCIA Proposed Rule

Check out the latest industry updates with insights from HIMSS subject matter experts.

EU Artificial Intelligence Act 

The EU Artificial Intelligence Act, which calls for a risk-based approach to artificial intelligence systems while not compromising fundamental rights, health or safety including national security, was approved March 18, 2024, by the European parliament. 

The EU AI Act provides significant detail about artificial intelligence and its regulation in its current state and for future applications. 

“Society will no doubt be transformed by artificial intelligence, and this landmark legislation will have global impact on artificial intelligence innovators and implementers,” said Lee Kim, Senior Principal, Cybersecurity & Privacy, HIMSS. 

Read more: HIMSS Analysis: Healthcare Implications of the EU Artificial Intelligence Act

CIRCIA Proposed Rule 

The U.S. Department of Homeland Security published the CIRCIA proposed rule on April 4, 2024. As proposed, the rule mandates critical infrastructure stakeholders report covered cyber incidents within 72 hours after a covered entity reasonably believes that a cyber incident has occurred and ransom payments to be reported within 24 hours after a ransom payment has been made in response to a ransomware attack.  

“CIRCIA will provide the Federal government and industry with greater visibility into cyber incidents that are affecting critical infrastructure sectors like healthcare,” Lee Kim said. 

Covered entities are defined as critical infrastructure stakeholders. 

Comments are due on or before June 3, 2024. Anyone interested in supporting the HIMSS review and response can email policy@himss.org. 

HIMSS previously delivered comments to DH S on the Cyber Incident Reporting for Critical Infrastructure Act of 2022, noting key areas for CISA to consider when creating policies related to cybersecurity information sharing as mandated, including reducing reporting redundancy; balanced reporting requirements; granularity of reporting; and confidential handling and protection of reported information.