- New York is proposing new, “nation-leading” cybersecurity regulations for hospitals that aim to protect facilities and keep them open when attacks occur, Gov. Kathy Hochul announced Monday.
- Under the proposed rules, hospitals will be required to develop their own cybersecurity programs, assess internal and external risks, and create and test incident response plans.
- Healthcare facilities will be able to apply for funding to upgrade their technology systems from $500 million allocated in the state’s fiscal year 2024 budget.
Cybersecurity is an increasingly serious challenge for hospital operators as data breaches and hacking incidents rise. The personal health information and sensitive data of hundreds of millions of patients has been exposed over the past decade, according to federal regulators.
Hacking incidents, in particular, have soared as cybercriminals target organizations’ valuable data stores. Ransomware — where criminals demand a payment to return access to critical systems and patient data — can disrupt access to medical records, delay care and lead to deadly consequences for patients.
New York’s healthcare industry reported the most cyberattacks among the state’s critical infrastructure sectors last year, according to a report from the state’s comptroller.
Preliminary figures through the first half of 2023 show the number of cyberattacks on New York’s critical infrastructure has already nearly doubled compared to last year’s total.
The proposed rules announced on Monday aim to improve protections for hospital IT systems, acting as a complement to the federal HIPAA rule focused on patient data and records, according to the announcement.
The regulations would require hospitals to develop a cybersecurity program that includes procedures, guidelines and standards for in-house applications as well as policies for evaluating and testing apps built by third parties.
Facilities will also need to put together response plans in case of a cybersecurity incident, and test those procedures to ensure patient care continues while systems are being restored.
They’ll also be required to use multifactor authentication to access the hospital systems from an external network and hire a CISO, who will be tasked with enforcing cybersecurity policies and reviewing them annually.
The rules will be published in the state register in early December if they’re adopted by the Public Health and Health Planning Council. A 60-day public comment period will end in early February, and hospitals will have a year to comply with the regulations if finalized.