With days before new state regulations kick in, New York health care systems and hospitals are scrambling to implement cybersecurity protections so they comply with the new rules.
The state has issued an Oct. 2 deadline to comply with new cybersecurity regulations we first reported in 2023. The New York State Department of Health’s requirements to protect patient data are more stringent than those required under the Health Insurance Portability and Accountability Act and also include protection for personally identifiable information (PII) available in a hospital’s ongoing business information systems.
Under the new regulations, hospitals must designate a chief information security officer charged with developing a written plan to assess system vulnerabilities, protect against cybersecurity risks, detect cybersecurity events and respond to, report and recover from cybersecurity breaches. The officer will test and audit the hospital’s data systems and report information annually to the state health department.
The rule about reporting cybersecurity events went into effect when the regulations were approved in October 2024. The rest must be in place by Oct. 2.
Cybersecurity Changes Exceed HIPAA Requirements
Many hospitals will have some level of cybersecurity in place because of HIPAA requirements, but the state’s requirements go above and beyond HIPAA’s in some instances. When Gov. Kathy Hochul announced her proposed cybersecurity regulations, she said she wanted “nation-leading” security for protected health information (PHI) and PII.
“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” she said. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”
Specific examples of how the New York regulation exceed the HIPAA standard falls into several categories: Data scope, breach notification, cyber leadership, risk assessments, cybersecurity program, audit trails and enforcement. Below is a table that shows how these two regulations differ:
The New York standard is significantly more prescriptive than the federal standard and it behooves any organization subject to the New York law to reevaluate its security and privacy programs to ensure they address the additional requirements of the new state law before any significant event puts their program under the microscope of a state regulator.
