Information Technology and Cybersecurity Archives

by BPS_NJA_JustinFebruary 2, 2024 Information Technology and Cybersecurity0 comments

A Look at New York’s Proposed Cybersecurity Regulation of Hospitals

New York has become the first state to propose comprehensive cybersecurity regulations aimed at enhancing patient safety and addressing cybersecurity concerns in all hospitals operating within the state. This initiative, introduced in November of last year, is part of New York’s ongoing commitment to issuing industry-specific cyber regulations, building on the precedent set for financial institutions in 2017.

The proposed regulations, if passed, seek to fortify the data privacy and cybersecurity protocols of hospitals, complementing the existing Security Rule of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). By doing so, the regulations aim to not only safeguard sensitive patient information but also mitigate disruptions to healthcare administration caused by cybersecurity incidents.

Key Requirements of New York’s Cybersecurity Regulations for Hospitals:

Comprehensive Cybersecurity Protocols: Hospitals will be required to establish robust cybersecurity protocols to ensure the integrity and confidentiality of patient data.
Cybersecurity Program and Risk Assessment: Hospitals must develop and maintain a cybersecurity program, conduct regular assessments of cybersecurity risks, and establish a response protocol in the event of a cybersecurity incident.
Chief Information Security Officer (CISO): Hospitals are mandated to appoint a CISO to oversee and lead cybersecurity efforts within the institution.
Multifactor Authentication: Access to hospital internal networks from an external network will require the use of multifactor authentication, adding an extra layer of security.
Security Guidelines for On-Premise Applications: Hospitals must adopt written procedures, guidelines, and standards to ensure the security of on-premise applications.
Incident Reporting: Hospitals are obligated to identify material cyber incidents promptly and report these events, which impact hospital operations, to the relevant stakeholders within two hours of the incident.

The proposed regulations are currently open for a 60-day public comment period, set to conclude on February 5, 2024. If the regulations are finalized and adopted in their current form, hospitals in New York will have a one-year grace period to achieve compliance, beginning on the enactment date. The regulations would apply to all general hospitals licensed pursuant to Article 28 of the Public Health Law, which is not limited to acute care hospitals, and would apply to diagnostic and treatment centers.

In anticipation of the regulations becoming law, New York hospitals are advised to proactively assess and update their cybersecurity infrastructure, controls, policies, and procedures. For assistance in navigating these requirements and ensuring compliance, hospitals can contact Robert Braumuller at (914) 287-6185 or rbraumuller@bpslaw.com.

by Niki JonesNovember 1, 2016 Information Technology and Cybersecurity0 comments

New York is First State in the Nation to Propose Cybersecurity Regulations Impacting Banks, Insurance Companies and Mortgage Lenders

The New York State Department of Financial Services has proposed regulations that would impose new cybersecurity requirements on banks, insurance companies, mortgage lenders and others. The proposed regulations, issued pursuant to the Financial Services Law, would apply to entities that require a license or authorization under New York State banking, insurance or financial services laws to operate. New York is the first state in the nation to propose such cybersecurity regulations, which are designed to thwart nation-states, terrorist organizations and independent criminal actors from exploiting technological vulnerabilities to gain access to sensitive electronic data. The proposed regulations would create minimum cybersecurity standards to protect customer information and information technology systems.

These proposed regulations address the following key areas:

Establishment of a cybersecurity program
Implementation of a written cybersecurity policy
Designation of a Chief Information Security Officer
Implementation of a written third party vendor information security policy
Notification requirements to the Superintendent of Financial Services

Cybersecurity Program

Each entity that is covered by these regulations would be required to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of its information systems. The core functions that the program must perform include identifying nonpublic information stored on information systems, using defensive infrastructure to protect this information, detecting any threats to information systems and recovering and restoring operations after such a threat is detected.

Cybersecurity Policy

The written cybersecurity policy must address protection of information systems and the nonpublic information stored therein. The proposed regulation includes over a dozen areas, such as systems and network security, access controls, risk assessment, and customer data privacy, which, at a minimum, must be included in the policy. In addition, this policy would be required to be reviewed by the company’s board of directors and approved by a senior officer.

Chief Information Security Officer

The proposed regulations would also require the designation of a Chief Information Security Officer, who will oversee and implement the cybersecurity program and enforce the cybersecurity policy. In addition, entities covered by this regulation would be required to employ cybersecurity personnel sufficient to manage cybersecurity risks and to perform core cybersecurity functions.

Third Party Vendor Information Security Policy

The third party vendor information security policy would be required to ensure the security of information systems and nonpublic information that are accessible to or maintained by third party vendors. These policies would be required to address certain key areas, including risk assessments of vendors and due diligence processes used to evaluate vendors, as well as establishing preferred provisions, such as use of encryption, right to audit vendors, and vendors’ use of authentication to access information, to be included in vendor contracts.

Notification Requirements

The proposed regulations would require each entity that is covered to notify the Department of Financial Services within 72 hours of becoming aware of a cybersecurity threat that has a reasonable likelihood of materially affecting operations or that affects nonpublic information. In addition, starting January 15, 2018, the regulations would require the board of directors or a senior officer to submit an annual compliance certification (the regulations provide a template of the certification to be used).

The proposed regulations do contain a limited exception for smaller companies, but would still require these smaller companies to comply with certain requirements. The proposed regulations were subject to public comment until November 14, 2016. If they are finalized in their current form, they would go into effect January 1, 2017. Those affected by the regulations would have until June 30, 2017 to come into compliance. The proposed regulations do not specify penalties for non-compliance. If adopted, it is possible that courts would look to the regulations to define the proper standard of care in this developing legal area.

For more information about the proposed regulations or advice regarding compliance, please contact Zachary Cohen or any of the co-chairs of Bleakley Platt’s Information Technology and Cybersecurity Practice Group: Thomas G. Bailey, Robert Braumuller or Richard F. Markert.