On December 6, 2023, New York proposed new cybersecurity requirements for all general hospitals operating in the state licensed under Article 28 of the Public Health Law, regardless of size or location.
There are 226 hospitals in New York State, including Veteran’s Affairs facilities (which would not be affected by these proposed regulations). Organizations have one year from the enactment date to achieve compliance with these new hospital cybersecurity regulations. The only exception is that general hospitals must immediately report cyber incidents to the Department within two hours of determining that a cybersecurity incident occurred. A “cybersecurity incident” is defined as a cybersecurity event that has a material adverse impact on normal operations, has a reasonable likelihood of materially harming any part of the regular operation(s), or results in the deployment of ransomware within part of the hospital’s information systems.
Highlights from the Proposed New York Cybersecurity Regulations for Hospitals
- General Hospitals must hire or appoint a Chief Information Security Officer (CISO) to design and implement their cybersecurity program. Each hospital must utilize qualified cybersecurity personnel of the hospital, an affiliate, or a third-party service provider sufficient to manage the hospital’s cybersecurity risks.
- Facilities are required to maintain audit trails for systems that are designed to detect and respond to cyber events (all documentation, such as records, schedules, reports and data required and supporting) and any identified areas, systems or processes that require material improvement, updating or redesign, shall be documented and available for inspection by the department and available for a six-year period.
In addition, the new healthcare cybersecurity regulations will require all NY hospitals to adhere to the following:
- Monitor and test the cybersecurity program, which includes penetration testing of the hospital’s information systems by a qualified internal or external party at least annually.
- Establish policies and guidelines for due diligence, contractual and minimum control protections relating to third-party service providers' security of information systems and nonpublic information accessible to or held by, third-party service providers.
- Use multifactor authentication, risk-based authentication or another compensating control to protect against unauthorized access to nonpublic information and for any individual accessing the hospital’s internal networks from an external network.
- Implement risk-based policies and controls to monitor the activity of authorized users and detect unauthorized access or use of nonpublic information.
- Provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified in any risk assessment.
- Written secure development practices for in-house developed applications utilized.
- Procedures for evaluating, assessing and testing the security of externally developed applications.
- Establish a written incident response plan designed to promptly respond to and recover from, any cybersecurity incident materially affecting the hospital’s information systems or the functionality of any aspect of the hospital’s business or operations.