New York state proposes new cybersecurity regulations for hospitals

New York has proposed a slew of new cybersecurity regulations for the state’s hospitals and plans to funnel $500 million from its fiscal year 2024 budget to help facilities upgrade their technology systems, Gov. Kathy Hochul announced Monday.

The regulations, if adopted, would require hospitals to establish a formal cybersecurity program among other measures to limit unauthorized access to their information systems.

"Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals," Hochul said in a release announcing the proposal. "These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

The proposed regulations will go before the state’s Public Health and Health Planning Council this week and, if adopted, will be published in the State Register on Dec. 6 for a 60-day public comment period, according to Hochul’s office. Hospitals will be given a year to come into compliance with the requirements once they are finalized.

Under the proposal, hospitals’ cybersecurity programs will need to include written procedures, guidelines and standards to ensure applications developed in-house are secure, according to the announcement. Hospitals will also need to develop policies for procedures to evaluate the security of any externally developed applications they use.

Further, hospitals would need to develop response plans for any potential cybersecurity incidents and perform test runs of those plans “to ensure that patient care continues while systems are restored back to normal operations,” the governor’s office wrote.

Other proposed requirements include establishing a chief information security officer who would be responsible for reviewing and updating policies on an annual basis and the use of multifactor authentication when accessing hospitals’ internal networks from an external network.

“When we protect hospitals, we protect patients,” New York state's health commissioner James McDonald, M.D., said in the announcement. “These nation-leading draft cybersecurity hospital regulations build on the governor’s state of the state priority by helping protect critical systems from cyber threats and ensuring New York’s hospitals and health care facilities stay secure.”

To support hospitals’ adoption of the proposed regulations, the governor’s office said it will “soon” be accepting applications for a statewide capital program backed by $500 million that was already included in the governor’s FY24 budget.

“These funds will spur investment in modernization of health care facilities as well as utilization of advanced clinical technologies, cybersecurity tools, electronic medical records and other technological upgrades to improve quality of care, patient experience, accessibility and efficiency,” the governor’s office wrote.

Hochul’s announcement pointed to warnings from federal agencies that healthcare organizations, including those in New York, have become a prime target for cyberattacks. Federal agencies have also released several free resources including online training and best practices to help healthcare organizations shore up their cyber defenses.

So far this year, industry reports and Department of Health and Human Services data suggest the industry has seen fewer but substantially larger cybersecurity incidents as compared to 2022 as well as a shifting focus to third-party vendors as targets for a breach.

Mike Hamilton, chief information security officer of cybersecurity firm Critical Insight, told Fierce Healthcare that the plan mirrors a similar rollout within New York's financial sector. The proposed regulations for healthcare largely fall in line with existing HIPAA requirements, "with the exception of implementing auditable controls over internal application development" that exceed federal initiatives, he said. 

The $500 million grant funding "will certainly be focused on technology upgrades, as technical debt and the associated vulnerabilities are known to be a primary exploitation vector for threat actor initial access in the healthcare sector," he continued. There may be some burden on public health organizations that lack the cybersecurity expertise to put together an informed application for the grant, he noted, as well as a need to budget for ongoing operation, maintenance and staffing of any improvements. 

"Lastly, the outcome of this effort should be better (more frequent?) auditing of required controls, a reduction in the dependence of legacy technologies, broad uptake of table-stakes controls like multifactor authentication, and processes put in place that are designed to facilitate rapid recovery from cybersecurity incidents in alignment with the federal ‘Shields Ready’ initiative just announced," Hamilton wrote in an email comment. "To that end, it is hoped that one of the requirements approved is an emphasis on network, endpoint, and cloud monitoring as well as incident response readiness. Rapidly detecting a compromise is the key to limiting impact; put out the grease fire on the stove and the house doesn’t become engulfed in flames."