Stricter Cybersecurity Regulations Proposed for New York Hospitals

New York, November 14th, 2023 -- New York has proposed tighter cybersecurity regulations for hospitals throughout New York State in response to a series of crippling attacks that have caused disruption to healthcare services, delays to patient care, and have put patient safety at risk.

Governor Kathy Hochul announced the proposed measures on Monday, which are expected to be published in the State Register on December 6, 2023, provided they are adopted by the Public Health and Health Planning Council this week. The new cybersecurity requirements will then undergo a 60-day public comment period, which will end on February 5, 2033. When the new regulations are finalized, hospitals will be given a 1-year grace period to ensure full compliance.

The proposed regulations include the requirement for New York hospitals to appoint a Chief Information Security Officer if they have not done so already, implement defensive infrastructure and cybersecurity tools including multifactor authentication, and conduct regular risk analyses to identify cyber risks.

Any in-house applications must be developed using secure software design principles, and processes must be developed and implemented for testing the security of third-party software. Hospitals in the state will also be required to develop and test incident response plans to ensure that care can continue to be provided to patients in the event of a cyberattack.

New York hospitals already have cybersecurity responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for cybersecurity. The proposed regulations are intended to complement the HIPAA Security Rule and include similar requirements, but while the HIPAA Security Rule is largely technology agnostic, the proposed regulations in New York include specific measures that hospitals must implement.

“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” said Governor Hochul. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

There has been a massive increase in healthcare cyberattacks in recent years. The HHS’ Office for Civil Rights recently announced that hacking incidents now account for 77% of all healthcare data breaches, there has been a 239% increase in large data breaches in the past 4 years, and a 278% increase in ransomware attacks. While reported data breaches of 500 or more records are down slightly from 2022, more than 102 million healthcare records have been exposed or compromised – almost twice the number of breached records as in 2022.

These attacks clearly show that hospitals and health systems are struggling to prevent unauthorized access to their systems and that more needs to be done to improve cybersecurity than complying with the HIPAA Security Rule. There are often competing priorities in healthcare, and while investment in cybersecurity has increased, some hospitals have struggled to find the necessary funding to improve cybersecurity. To help ease the financial burden, Governor Hochul’s FY24 budget includes $500 million in funding for healthcare facilities to enable them to upgrade their technology systems to comply with the proposed regulations and pay for necessary cybersecurity tools, electronic health records, advanced clinical technologies, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.

“When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York’s aggressive and comprehensive whole-of-state approach,” said New York State Chief Information Officer Dru Rai. “We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state’s hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York.”

For more information please visit: https://www.governor.ny.gov/news.