New York Gov Kathy Hochul is touting her proposed statewide cybersecurity regulations for hospitals and health systems as “nation-leading,” and, if approved, those entities will have until February 2025 to comply with the new rules.
Hochul recently announced her proposed cybersecurity regulations, saying they would be made public on Dec. 6 in the State Register if adopted by the Public Health and Health Planning Council. She also said her 2024 budget includes $500 million in funding for health care facilities to upgrade their technology systems and comply with the new rules.
Growing cyber threats are forcing cybersecurity to evolve, Hochul said.
"Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals," she said. "These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”
The Cybersecurity and Health Services team at Harris Beach is particularly interested in understanding the scope of entities covered by this new regulation and the flexibility they have to design a program tailored to their circumstances and risks. Presumably, most large hospital systems will already have many of the requirements outlined in the press release. But smaller covered entities may not have some of technical, administrative or physical controls required by the regulation to the extent the requirements are broader than the security requirements of HIPAA.
Typically, we see a risk-based approach to cybersecurity, where smaller organizations are perceived as less of a target and hence have fewer controls than larger organizations that are larger targets and have the wherewithal to support a larger cybersecurity program. It will be important for commentators to consider both the definition of an entity covered by this regulation and the flexibility each has to address the risks associated with their handling of protected health information. It will also be important to assess how many additional controls the new regulation will compel when compared to mandatory and addressable controls required by HIPAA.
Hochul wants hospitals and health facilities to proactively prevent cybersecurity incidents with security plans that assess internal and external risks, develop defensive techniques and infrastructure and implement measures that protect the systems from unauthorized access and malicious acts.
Additionally, the proposed regulations require response plans for security incidents and testing to ensure patient care continues during an incident.
The proposed regulations will undergo a 60-day public comment period ending on Feb. 5, 2024. Once finalized, hospitals will have a year to comply with the new regulations.
Hochul said the cybersecurity plans must include “written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility.” Hospitals also must establish “policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital.” The proposed regulations also require the use of multi-factor authentication to access the internal networks from an external network.
Gov. Hochul’s also proposing hospitals be required to create a Chief Information Security Officer role to enforce the new policies and annually update them.
Gov. Hochul said the proposed regulations are a complement to the Health Insurance Portability and Accountability Act requiring patient data and health records to be protected.
The $500 million in funding will be part of an upcoming statewide capital program call for applications, opening soon. The governor expects these funds to spur investment in modernizing health care facilities and the adaption of “advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.”
Cyberattacks a Main Concern for Health Care Leaders
Chief Healthcare Executive recently reported more than 88 million people have been affected by large breaches of personal health information in the United States this year. Such breaches must be reported to the U.S. Department of Health and Human Services. The agency reports data breaches climbed by 239% in the past four years, including by 60% in 2023, with 77% of those breaches stemming from cyberattacks.
Healthcare systems are especially vulnerable. Moody’s Investors Service has about $22 trillion of global debt rated as “high,” or “very high” cyber-risk exposure, with hospitals among the sectors facing the highest risk of cyberattacks. Moody’s Cyber Heatmap looks at two factors, exposure and mitigation and scores 71 sectors. Not-for-profit hospitals ranked “very high” for cyber risk because they are highly attractive, data rich targets with average mitigation measures.
Healthcare providers are highly concerned about cybersecurity. According to a report last year from Bain & Company and KLAS Research, regional health systems, free-standing hospitals and mental health providers are especially focused on security and privacy investments, especially in areas such as cybersecurity, Internet of Things security and patient privacy monitoring, the author note.
