New York State’s Hospital Cybersecurity Regulations: A New Era of Protection

In an age where cyber threats loom large over critical sectors, New York State has taken a significant step forward by enacting new cybersecurity regulations for hospitals. Effective October 2, 2024, general hospitals across the state will be required to report cybersecurity incidents to the New York State Department of Health within 72 hours of discovery. This initiative aims to streamline the response to cybersecurity incidents and bolster the overall security posture of healthcare facilities.

Key Provisions of the New Regulations

The most prominent feature of the new regulations is the 72-hour reporting requirement for material cybersecurity incidents. According to the regulations, hospitals must report any incident that meets at least one of the following criteria:

1. It has a material adverse impact on the normal operations of the hospital.
2. It has a reasonable likelihood of materially harming any part of the normal operations of the hospital.
3. It results in the deployment of ransomware within a material part of the hospital’s information systems.

While the initial proposal suggested a more stringent two-hour reporting timeframe, feedback from the public led to the adoption of the 72-hour window. This timeframe is notably shorter than the reporting requirements under the Health Insurance Portability and Accountability Act (HIPAA), which mandates that covered entities report data breaches affecting 500 or more individuals to the Department of Health and Human Services (HHS) within 60 days.

However, the New York regulations focus on notifying the Department of Health about the occurrence of a cybersecurity incident, rather than confirming a data breach. This allows the department to assist in emergency response efforts and mitigate exposure to other entities. Hospitals must have robust incident response plans in place to ensure timely reporting and effective management of cybersecurity incidents.

Additionally, hospitals are required to retain documentation related to cybersecurity incidents for at least six years and provide it to the New York State Department of Health upon request. While the notification requirements will take effect in 2024, hospitals have until October 2, 2025, to comply with the remaining provisions of the regulations.

Comprehensive Cybersecurity Measures

The regulations outline several critical measures that hospitals must implement by October 2025:

• Cybersecurity Program Development: Hospitals must create and implement a cybersecurity program designed to identify both internal and external cybersecurity risks.
• Security Controls: Facilities are required to implement security controls to mitigate risks associated with email-based threats.
• Chief Information Security Officer (CISO): Each hospital must appoint a senior or executive-level staff member to serve as the CISO. Hospitals have the option to outsource this role to a third-party contractor.
• Multifactor Authentication (MFA): The use of MFA, risk-based authentication, or other controls is mandated to protect nonpublic information from unauthorized access.
• Incident Response Plan: Hospitals must adopt a written incident response plan that enables them to respond to and recover from material cybersecurity incidents effectively.
• Data Disposal Policies: Facilities are required to develop policies for the secure disposal of nonpublic information that is no longer necessary for operations.
• Annual Risk Assessments: Hospitals must conduct annual risk assessments and develop monitoring and testing protocols, including penetration testing, based on the results of these assessments.
• Audit Trails and Third-Party Security Policies: Maintaining audit trails and developing security policies for third-party service providers are also essential components of the regulations.

The New York State Department of Health has emphasized that these regulations are designed to be flexible, allowing hospitals to comply based on their specific operations without being overly prescriptive or financially burdensome.

Implications for the Healthcare Sector

While the new regulations apply specifically to general hospitals in New York, they serve as a benchmark for healthcare organizations across the country. Hospitals in other states can evaluate their cybersecurity programs against these best practices, preparing for potential future regulations at both the state and federal levels.

The regulations were introduced in response to a series of cyberattacks targeting hospitals and align with federal proposals advocating for minimum cybersecurity standards across the healthcare sector. The U.S. Department of Health and Human Services (HHS) has already released sector-specific cybersecurity performance goals, which, although voluntary, are expected to inform future enforceable standards.

As George Pappas, CEO of Intraprise Health, noted, the New York regulations reflect a proactive approach to cybersecurity, addressing patient safety and well-being in light of the increasing frequency and sophistication of cyber threats. The requirements share similarities with existing federal guidelines, such as the Health Industry Cybersecurity Practices (HICP), which provide organizations with prescriptive measures to enhance their cybersecurity posture.

Conclusion

New York State’s newly enacted hospital cybersecurity regulations mark a pivotal moment in the ongoing battle against cyber threats in the healthcare sector. By establishing clear reporting requirements and comprehensive cybersecurity measures, these regulations aim to enhance the resilience of hospitals and protect patient data. As healthcare organizations across the nation observe New York’s approach, they are encouraged to strengthen their cybersecurity programs and prepare for the inevitable evolution of regulatory standards in this critical area. The time to act is now, as the stakes for patient safety and data security have never been higher.