A Look at New York’s Proposed Cybersecurity Regulation of Hospitals
New York has become the first state to propose comprehensive cybersecurity regulations aimed at enhancing patient safety and addressing cybersecurity concerns in all hospitals operating within the state. This initiative, introduced in November of last year, is part of New York’s ongoing commitment to issuing industry-specific cyber regulations, building on the precedent set for financial institutions in 2017.
The proposed regulations, if passed, seek to fortify the data privacy and cybersecurity protocols of hospitals, complementing the existing Security Rule of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). By doing so, the regulations aim to not only safeguard sensitive patient information but also mitigate disruptions to healthcare administration caused by cybersecurity incidents.
Key Requirements of New York’s Cybersecurity Regulations for Hospitals:
- Comprehensive Cybersecurity Protocols: Hospitals will be required to establish robust cybersecurity protocols to ensure the integrity and confidentiality of patient data.
- Cybersecurity Program and Risk Assessment: Hospitals must develop and maintain a cybersecurity program, conduct regular assessments of cybersecurity risks, and establish a response protocol in the event of a cybersecurity incident.
- Chief Information Security Officer (CISO): Hospitals are mandated to appoint a CISO to oversee and lead cybersecurity efforts within the institution.
- Multifactor Authentication: Access to hospital internal networks from an external network will require the use of multifactor authentication, adding an extra layer of security.
- Security Guidelines for On-Premise Applications: Hospitals must adopt written procedures, guidelines, and standards to ensure the security of on-premise applications.
- Incident Reporting: Hospitals are obligated to identify material cyber incidents promptly and report these events, which impact hospital operations, to the relevant stakeholders within two hours of the incident.
The proposed regulations are currently open for a 60-day public comment period, set to conclude on February 5, 2024. If the regulations are finalized and adopted in their current form, hospitals in New York will have a one-year grace period to achieve compliance, beginning on the enactment date. The regulations would apply to all general hospitals licensed pursuant to Article 28 of the Public Health Law, which is not limited to acute care hospitals, and would apply to diagnostic and treatment centers.
In anticipation of the regulations becoming law, New York hospitals are advised to proactively assess and update their cybersecurity infrastructure, controls, policies, and procedures. For assistance in navigating these requirements and ensuring compliance, hospitals can contact Robert Braumuller at (914) 287-6185 or rbraumuller@bpslaw.com.