Last month, a cyberattack forced two New York hospitals to divert and even discharge some patients to other facilities, while the affected hospitals shut down their IT systems to address the issue and restore their secure network. [cite] In the wake of this event, New York Governor Kathy Hochul has proposed a cybersecurity regulation that would create a new section, Section 405.46 of Title 10 of the Official Compilation Codes, Rules and Regulations of the State of New York, and which would apply to all general hospitals in New York State. Governor Hochul plans to allocate $500 million to back the proposed regulation. [cite]

Governor Hochul’s administration’s objective is for hospitals to establish cyber defense programs, as well as prepare for any potential attacks with tested plans. [cite] The proposed regulation aims to accomplish this through a series of detailed subsections.

For example:

• Section 405.46 (c) establishes the requirements for hospitals to have a cybersecurity program and defines protocols, procedures, and core functions of such program.
• Section 405.46 (d) defines the cybersecurity policies that general hospitals will need to create and the topics that should be considered after a risk assessment has been performed.
• Section 405.46 (e) requires general hospitals to designate a Chief Information Security Officer who will be responsible for cybersecurity program creation, implementation, and oversight.
• Section 405.46 (f) sets forth the requirements for testing and vulnerability of a general hospital’s cybersecurity program.
• Section 405.46 (g) outlines the audit trails and records maintenance and retention requirements of a general hospital’s cybersecurity program.
• Section 405.46 (h) sets forth the requirements for cybersecurity risk assessments and the considerations for policies and procedures relative to those risk assessments.

• Section 405.46 (i) sets forth the requirements for cybersecurity personnel general hospitals must utilize.
• Section 405.46 (j) sets forth the policies for third-party service providers of cybersecurity programs.
• Section 405.46 (k) sets forth the requirements for multi-factor authentication procedures.
• Section 405.46 (l) sets forth the requirements for training and monitoring of the cybersecurity program.
• Section 405.46 (m) defines the requirements for an incident response plan in the event of a cybersecurity incident.
• Section 405.46 (n) defines the reporting requirements for a general hospital during a cybersecurity incident [ . . .]

The plan has already received constructive criticism from health care privacy professionals. Mari Savickis, Vice President for Public Policy at the College of Healthcare Information Management Executives, stated that requiring hospitals to report incidents within two hours in unrealistic and may even put patients at risk [cite]. Section 405.46 (n). Lee Kim, Senior Principal of Cybersecurity and Privacy at the Healthcare Information and Management Systems Society, felt that the proposed legislation should do more by way of addressing cybersecurity training for cyber professionals [cite]. In addition many in the health care industry predict that this type of hospital-specific cybersecurity regulation could spread to other states. 

New York State is accepting comments on Governor Hochul’s plan through February 5, 2024. If passed, Section 405.46 (p) provides general hospitals one (1) year from the date of adoption to comply with the new regulatory requirements, except that general hospitals must immediately begin reporting to the Department as required by subdivision (n) of this section.