In response to growing concern over the increasing incidence of cyberattacks on the healthcare industry, New York State (NYS) recently proposed statewide cybersecurity regulations for hospitals. The proposed regulations are subject to a 60-day comment period ending on February 5, 2024 and would apply to general hospitals licensed under Article 28 of the NYS Public Health Law.1
As part of the regulatory impact statement, NYS acknowledged that efforts and costs necessary to achieve compliance will vary significantly by hospital due to varying hospital sizes as well as levels of cybersecurity programs that are currently in place. The NYS Department of Health is expected to issue a request for application for a $500M Health Care Technology funding program, which was included in the fiscal year 2024 budget to support technological needs, including cybersecurity.
Whether your cybersecurity program is mature or developing, it is important for leadership and management to review the existing programs to identify opportunities for improvement. NYS’s proposed cybersecurity regulations provide an interesting starting point for such an evaluation. “The proposed regulations require that hospitals develop, implement and maintain minimum cybersecurity standards and programs, including information technology (IT) staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response, appropriate reporting protocols and records retention.”2
Requirements include:
- Accurate and thorough risk assessments of the hospital’s potential risk and vulnerabilities, at least annually.
- A cybersecurity program designed to perform the core functions of identifying, assessing, and defending against internal and external risks as well as detecting, responding to and recovering from cybersecurity events.
- Written policies and procedures that address a variety of areas including but not limited to information security, data governance, business continuity and disaster recovery, systems and network security and monitoring, vendor and third-party service provider management, and training.
- Designation of a chief information security officer (CISO) responsible for developing and enforcing the cybersecurity policy. The CISO may be an employee of the facility or an employee of a third-party or contract vendor.
- Implementation of testing and vulnerability assessments in accordance with the hospital’s risk assessment but no less than annually.
- Utilization of qualified cybersecurity personnel of the hospital, an affiliate or a third-party service provider sufficient to manage the hospital’s cybersecurity risks.
- A written security policies for third-party service providers.
- Risk-based authentication such as multifactor authentication.
- Training and monitoring.
- A written incident response plan designed to promptly respond to and recover from a cybersecurity incident.
- Notification to DOH within two hours of a cybersecurity security incident.
Many of the requirements are considered best practice recommendations and; therefore, many organizations may have these in place. It’s important for all organizations to assess their adherence to the new requirements and develop a book of evidence to support the changes.
As proposed, hospitals will have one year from the effective date to comply with the new regulations. However, the regulation requiring general hospitals to notify the department within two hours of a determination that a cybersecurity incident has occurred is proposed to be in effect immediately upon adoption.
See Our Latest FORsights™
HHS released a working paper detailing its new framework to support cybersecurity in the healthcare industry. Learn what impact this may have on your organization. Read on for details.
- 1“The proposed regulations will affect all general hospitals licensed pursuant to Article 28 of the Public Health Law, regardless of size or location. There are currently 226 hospitals in New York State, including Veteran’s Affairs facilities (which would not be affected by these proposed regulations).” Department of State, Division of Administrative Rules. New York State Register, page 9, December 6, 2023.
- 2Department of State, Division of Administrative Rules. New York State Register, page 9, December 6, 2023.