New York has proposed new cybersecurity regulations for hospitals in a bid to combat increasing numbers of cyberattacks and data breaches. Hacking incidents at hospitals, health systems, and other HIPAA-regulated entities have increased by 77% in 2023 according to the HHS’ Office for Civil Rights, and ransomware attacks have increased by 278% in the past 4 years. Cyberattacks on hospitals have disrupted operations, delayed essential healthcare services, and put patient safety at risk. In New York, healthcare was the most attacked critical infrastructure sector last year, and in H1 2023, healthcare cyberattacks in New York have been reported at twice the number seen in 2022.
Hospitals are required to comply with the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule, which calls for safeguards to be implemented to protect the confidentiality, integrity, and availability of electronic protected health information, but it is clear from the number of successful attacks and data breaches that compliance with the HIPAA Security Rule alone is not enough. The proposed regulations for hospitals are intended to complement HIPAA and have more specific requirements to strengthen the protections for hospital networks and systems that are critical to providing patient care. The new rules were proposed last week and will be published in the state register in early December if they are adopted by the Public Health and Health Planning Council. A 60-day public comment period will follow and hospitals will then be provided with a grace period of 12 months to ensure they are fully compliant with the new regulations.
“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” said Governor Hochul. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.” The new regulations include a requirement for hospitals to appoint a Chief Information Security Officer (CISO) to oversee cybersecurity if they have not already appointed one. They must develop and implement a cybersecurity program, which includes procedures, guidelines, and standards for in-house applications and policies for evaluating and testing third-party apps.
Hospitals will be required to take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access including multifactor authentication for any external access to internal networks and data, and take actions to prevent cybersecurity events before they happen. Hospitals will also be required to develop, implement, and test an incident response plan to ensure that patient care can continue to be provided in the event of IT systems being taken offline.
New York State Health Commissioner Dr. James McDonald said, “Under Governor Hochul’s leadership, New York State has significantly enhanced its cyber defenses, which are critically important to our health care system. When we protect hospitals, we protect patients. These nation-leading draft cybersecurity hospital regulations build on the Governor’s state of the state priority by helping protect critical systems from cyber threats and ensuring New York’s hospitals and health care facilities stay secure.”
One of the reasons hospitals have not done more to counter cyber threats is a lack of funding due to competing priorities. To make it easier for hospitals to make the necessary improvements, Governor Hochul has made $500 million available in the state’s fiscal year 2024 budget and hospitals will be able to apply for funding to upgrade their technology systems.