Stricter Cybersecurity Regulations Proposed for New York Hospitals
New York has proposed tighter cybersecurity regulations for hospitals throughout New York State in response to a series of crippling attacks that have caused disruption to healthcare services, delays to patient care, and have put patient safety at risk.
Governor Kathy Hochul announced the proposed measures on Monday, which are expected to be published in the State Register on December 6, 2023, provided they are adopted by the Public Health and Health Planning Council this week. The new cybersecurity requirements will then undergo a 60-day public comment period, which will end on February 5, 2024. When the new regulations are finalized, hospitals will be given a 1-year grace period to ensure full compliance.
The proposed regulations include the requirement for New York hospitals to appoint a Chief Information Security Officer if they have not done so already, implement defensive infrastructure and cybersecurity tools including multifactor authentication, and conduct regular risk analyses to identify cyber risks. Any in-house applications must be developed using secure software design principles, and processes must be developed and implemented for testing the security of third-party software. Hospitals in the state will also be required to develop and test incident response plans to ensure that care can continue to be provided to patients in the event of a cyberattack.
New York hospitals already have cybersecurity responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for cybersecurity. The proposed regulations are intended to complement the HIPAA Security Rule and include similar requirements, but while the HIPAA Security Rule is largely technology agnostic, the proposed regulations in New York include specific measures that hospitals must implement. “Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” said Governor Hochul. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
There has been a massive increase in healthcare cyberattacks in recent years. The HHS’ Office for Civil Rights recently announced that hacking incidents now account for 77% of all healthcare data breaches, there has been a 239% increase in large data breaches in the past 4 years, and a 278% increase in ransomware attacks. While reported data breaches of 500 or more records are down slightly from 2022, more than 102 million healthcare records have been exposed or compromised – almost twice the number of breached records as in 2022.
These attacks clearly show that hospitals and health systems are struggling to prevent unauthorized access to their systems and that more needs to be done to improve cybersecurity than complying with the HIPAA Security Rule. “For our nation’s hospitals, the stakes could not be higher when it comes to cybersecurity risk. With threat actors continuing to frequently target hospitals and the potentially devastating outcomes for continuity of care, it is imperative that hospital leadership continue to invest in cybersecurity risk mitigation measures. Governor Hochul’s new cybersecurity regulations are a clear signal to the healthcare industry that cybersecurity preparedness is no longer a ‘nice-to-have,’” said Jamie Singer, co-leader of FTI Consulting’s Cybersecurity & Data Privacy Communications practice. “Having tested incident response procedures and dedicated crisis communications plans in place are critical for a hospital’s ability to respond effectively and mitigate operational, legal, financial, and reputational harm in the midst of a live incident.”
There are often competing priorities in healthcare, and while investment in cybersecurity has increased, some hospitals have struggled to find the necessary funding to improve cybersecurity. To help ease the financial burden, Governor Hochul’s FY24 budget includes $500 million in funding for healthcare facilities to enable them to upgrade their technology systems to comply with the proposed regulations and pay for necessary cybersecurity tools, electronic health records, advanced clinical technologies, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.
“When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York’s aggressive and comprehensive whole-of-state approach,” said New York State Chief Information Officer Dru Rai. “We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state’s hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York.”
“As the U.S. healthcare system slowly recovers from a staffing crisis and employee burnout, the likelihood of impending cyberattacks is worrying for all healthcare systems. Considering that 17% of healthcare cyberattacks lead to physical harm or death, the current growth trajectory can lead to tragedy. The industry has not been purposefully negligent. Instead, a combination of missing education, low investment, and minimal guidelines for initiating change, create the perfect storm for malicious actor exploitation.” said Karan Sondhi, VP, CTO – Public Sector, Trellix. “Considering these factors, the cybersecurity rules proposed by New York regulators will lay a much-needed framework for incident response plans and spur the implementation of security measures like multifactor authentication. Such regulations could take a commendable first step towards protecting both healthcare institutions and patients from malicious actors.”
“New York’s action is a step in the right direction when it comes to cybersecurity policy in healthcare, and all states should follow suit, including carving out state budgets to help under-resourced hospitals get up to speed as quickly as possible,” Mike Parisi from cybersecurity compliance firm Schellman told The HIPAA Journal. “Health systems and hospitals are huge targets for bad actors because of the opportunities for vulnerabilities, as well as the amount of any kind of information they have. But it’s not just data that is at risk, bad actors are pushing the limits of what they are attacking (think lights, HVAC, power, and backup resources that can shut down the OR), and it is putting lives at risk. Stepping in to enforce proper security practices to protect patients is a must from a policy point of view.”
