New York Governor Calls for New Hospital Cybersecurity Rules

New York Governor Kathy Hochul proposed new cybersecurity regulations for the state’s hospitals. The Governor’s fiscal year 2024 budget includes $500 million in funding that healthcare facilities may apply to upgrade their technology systems to comply with the proposed regulations.

Gov. Hochul’s efforts to better protect healthcare systems from cyber threats come after hospitals in the state were the victims of attacks. In October of 2023, three hospitals in the Westchester Medical Center Health Network had to divert ambulances away from its facilities for a week after an attack that knocked its phone, internet, and email services offline. Earlier in the year, two Upstate New York hospitals were hit by a LockBit ransomware attack. Due to the attack, Carthage Area Hospital and Claxton-Hepburn Medical Center were forced to divert ambulances to other local facilities and reschedule most appointments.

The proposal aims to improve the security of hospital networks and systems that are critical to providing patient care, as a complement to the HIPAA Security Rule that sets standards for protecting patient data and health records. Under the proposed provisions, hospitals will be required to:

• Establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks
• Use defensive techniques and infrastructure
• Implement measures to protect their information systems from unauthorized access or other malicious acts
• Take action to prevent cybersecurity events before they happen
• The use of multi-factor authentication to access the hospital’s internal networks from an external network

The proposed regulations also require hospitals to develop response plans for a potential cybersecurity incident, including notification to appropriate parties. Hospitals will also be required to run tests of their response plan to ensure that patient care continues while systems are restored to normal operations.

The proposed regulations mandate that each hospital’s cybersecurity program includes written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility. Hospitals will also be required to evaluate, assess, and test the security of any third-party applications used by the hospital.

Hospitals would also be required to establish a Chief Information Security Officer role, if one does not exist already, responsible for enforcing the new policies and annually reviewing and updating them as needed.

The $500 million in the Governor’s FY24 budget will be part of an upcoming statewide capital program call for applications. These funds are intended to spur investment in the modernization of healthcare facilities and the utilization of advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.

If adopted by the Public Health and Health Planning Council this week, the regulations will be published in the State Register on Dec. 6, and undergo a 60-day public comment period ending on Feb. 5, 2024. Once finalized, hospitals will have a year to come into compliance with the new regulations.

CompliancePoint has a team of experienced cybersecurity and healthcare professionals. We can help design and implement a cybersecurity program that will allow your organization to better defend against attacks and take the appropriate response in the event of an incident. We also have experience helping organizations achieve HIPAA compliance and HITRUST certifications. Contact us at connect@compliancepoint.com to learn more.