State

New York proposes cybersecurity regulations for state’s hospitals

Gov. Kathy Hochul proposed rules that include a mandate for hospitals to develop their own cybersecurity programs and incident response plans.

By Keely Quinlan

November 14, 2023

New York Gov. Kathy Hochul speaks at the campaign launch event for "We Love NYC" in Times Square on March 20, 2023 in New York City. (Alexi Rosenfeld / Getty Images)

New York Gov. Kathy Hochul on Monday proposed a new set of cybersecurity regulations for the state’s hospitals, including a mandate that hospitals develop their own programs and response plans and appoint chief information security officers if they don’t already have one.

Officials said the proposed regulations aim to safeguard the critical networks and systems that hospitals use to provide patient care. They would complement to the rules of the Health Insurance Portability and Accountability Act, which protect patient data and health records.

Along with establishing their own cyber programs, hospitals would have be required to regularly assess risks, implement protective measures for their information systems and use defensive techniques to prevent cybersecurity events, according to a press release. The proposed regulations would also require that hospitals develop cyber incident response plans, including notification systems to alert affected parties.

Under the proposed rules, hospitals would also be required to run tests of their response plan to ensure that patient care can continue while systems are restored to normal operations during and after cyber incidents, the release explained. The regulations also would require hospitals to use multifactor authentication, a growing standard in IT security.

Hochul’s FY 2024 budget, which was announced in May, includes $500 million for health care facilities to upgrade their technology systems to comply with the proposed regulations.

Applications for funds will open soon, the news release said, and can be used for advanced clinical technologies, cybersecurity tools, electronic medical records and other technological upgrades to improve quality of care, patient experience, accessibility or efficiency.

The proposed regulations will be considered by the state’s Public Health and Health Planning Council this week, which has the authority to formally adopt the rules. If the council chooses to adopt the regulations, they would be published in the State Register on Dec. 6 and undergo a 60-day public comment period.

The comment period will end on Feb. 5, 2024, and once the regulations are finalized, hospitals would have one year to ensure they’re complaint.

“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” Hochul said in the release. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

The regulations build on Hochul’s statewide cyber strategy, which she announced in August and serves as the state’s first-ever cyber risk mitigation roadmap. The strategy includes high-level objectives for cybersecurity and resilience, unifies existing cyber initiatives and clarifies the various roles agencies play in cyberdefense.