New York State has released its proposed cybersecurity regulations for hospitals, which the Governor’s Office says will help the state’s hospitals establish policies and procedures to safeguard healthcare systems from growing cyber threats. Governor Kathy Hochul’s Fiscal Year 2024 budget includes $500 million in funding that healthcare facilities may apply to upgrade their technology systems to comport with the proposed regulations.
The proposed regulations aim to strengthen the protections on hospital networks and systems that are critical to providing patient care, as a complement to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule that focuses on protecting patient data and health records. Under the proposed provisions, hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.
Additionally, the proposed regulations require that hospitals develop response plans for a potential cybersecurity incident, including notification to appropriate parties. Hospitals will also be required to run tests of their response plan to ensure that patient care continues while systems are restored back to normal operations.
The proposed regulations mandate that each hospital’s cybersecurity program includes written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility. Hospitals will also be required to establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital.
The proposed regulations also require hospitals to establish a Chief Information Security Officer role, if one does not exist already, in order to enforce the new policies and to annually review and update them as needed. Additionally, the proposed regulations require the use of multi-factor authentication to access the hospital’s internal networks from an external network.
The $500 million in funding was included in the Governor’s FY24 budget and will be part of an upcoming statewide capital program call for applications, opening soon. These funds will spur investment in modernization of health care facilities as well as utilization of advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.
If adopted by the Public Health and Health Planning Council this week, the regulations will be published in the State Register on Dec. 6, and undergo a 60-day public comment period ending on Feb. 5, 2024. Once finalized, hospitals will have a year to come into compliance with the new regulations.
