New York Governor Proposes Stringent Cybersecurity Regulations for Hospitals
New York is the first state to propose cybersecurity requirements for all hospitals operating in the state to address patient safety and other cybersecurity related issues.
On November 16, 2023, New York Governor Kathy Hochul proposed cybersecurity regulations applicable to all hospitals operating within the state. The proposed regulations are expected to complement the Security Rule of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") by strengthening the data privacy and cybersecurity protocols of hospitals and mitigating disruptions to the provision of health care. With these regulations, New York is continuing its trend of issuing industry-specific cyber regulations, the first being its NYDFS Cybersecurity Regulations (2017), amended November 1, 2023, which contain similar provisions applicable to financial institutions in New York.
While the proposed regulations have not yet been published, according to Governor Hochul, proposed regulations will require hospitals operating in New York State to:
- Establish comprehensive cybersecurity protocols that the Governor believes are "critically important to [New York's] health care system."
- Establish a cybersecurity program, regularly assess internal and external cybersecurity risks, and establish a response and notification protocol in the event of a cybersecurity incident.
- Appoint a Chief Information Security Officer (CISO).
- Use multifactor authentication to access hospital internal networks from an external network.
- Adopt written procedures, guidelines, and standards for the security of on-premise applications.
- Identify material cyber incidents and report (or have a contractor responsible for cybersecurity reporting) material events that affect hospital operations to the appropriate stakeholders within two hours of the incident.
There will be a 60-day public comment period from the date the proposed regulations are published, ending February 5, 2024. Hospitals in New York will have one year from the enactment date to achieve compliance.
Hospitals operating in New York will need to assess their cybersecurity infrastructure, controls, policies and procedures, and incident response programs for compliance with the new regulations and update them as needed. For some providers, it will be necessary to engage third-party security providers (e.g., managed security service providers) to support compliance under appropriate contractual terms. Hospitals outside of New York should monitor the implementation of these regulations as other states may well follow suit.