New York Implements New Cybersecurity Regulations For General Hospitals

Posted By Steve Alder on Oct 15, 2024

On October 2, 2024, New York implemented new legislation that requires “general hospitals” in the state of New York to implement a raft of cybersecurity measures. Prior to the implementation of the new law, there were no state cybersecurity regulations for hospitals regarding the safeguarding of patients’ protected health information (PHI) and personally identifying information (PII), only the minimum standards of the federal Health Insurance Portability and Accountability Act (HIPAA).

Under state law, general hospitals are classed as healthcare institutions that “provide medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a twenty-four-hour basis with provisions for admission or treatment of people in need of emergency care.”

Currently, there are more than 190 general hospitals in the state of New York that are required to comply with the new cybersecurity requirements. The new law does not apply to diagnostic centers, treatment centers, outpatient care facilities, nursing homes, public health centers, or Veterans Affairs facilities.

The new law was prompted by a series of crippling cyberattacks on New York hospitals. In 2023, the Department of Health had to respond to at least one material cybersecurity incident at a New York hospital every month, many of which forced the hospitals to go on divert, disrupted patient care, and involved the theft of sensitive patient data.

The new rule takes effect on October 2, 2024, when covered hospitals must report any material cybersecurity incident to the New York State Department of Health within 72 hours of discovery. The 72-hour reporting time frame is considerably longer than the 2-hour reporting time frame stated in the original proposed legislation, although considering that many cyberattacks occur over the weekend or on federal holidays when staffing levels are lower, that time frame could prove challenging. Other requirements have a compliance date of October 2, 2025.

Material cybersecurity incidents are defined as a cybersecurity incident that has a reasonable likelihood of materially harming any part of the normal operations of a hospital and include, but are not limited to, ransomware attacks that affect a material part of the hospital’s information systems. The new reporting requirements will allow the state to respond rapidly to incidents that have the potential to disrupt patient care.

The reporting requirements are effective immediately, although hospitals will have one year from the effective date to comply with the cybersecurity requirements. The new cybersecurity requirements are intended to raise the standard of cybersecurity from the minimum standards mandated by the HIPAA Security Rule, which has not had a major update since 2013.

The HHS is currently working on an update to the HIPAA Security Rule; however, even if the HHS proposes new minimum standards for cybersecurity this year, they will be subject to standard notice requirements, which include a notice of proposed rulemaking, comment period, the issuing of a final rule, and time for HIPAA-covered entities to make the necessary changes. Until then, there are only the voluntary cybersecurity goals announced by the HHS in January 2024. The new state regulations will ensure that cybersecurity is improved much faster.

The new cybersecurity requirements include:

• Conducting an accurate and thorough annual security risk assessment of the hospital’s information systems.
• Establishing and maintaining a detailed incident response plan
• Appointing a Chief Information Security Officer (CISO)
• Implementing multifactor authentication on all external-facing systems.
• Conducting regular cybersecurity tests, including scanning for vulnerabilities and penetration tests
• Maintaining an audit trail that allows cybersecurity incidents to be detected and responded to rapidly
• Reviewing all user access privileges at least annually and removing any access that is no longer necessary.
• Providing regular cybersecurity awareness training to the workforce and ensuring that training is updated regularly to include risks identified through the hospital’s risk assessments.

While most hospitals will already have many of these measures in place, there will naturally be cost implications for covered hospitals. The state estimates the cost of compliance for small hospitals with 10 or fewer beds will be between $50,000 and $200,000, between $200,000 and $500,000 for hospitals with 10-100 beds, and around $2 million for larger hospitals. In January, the Department released Statewide IV and Statewide V funding totaling $650 million to assist with the implementation of and compliance with the regulatory requirements. Covered hospitals have been able to apply for grants since the start of the year and the submitted grant applications are currently being reviewed.