Menu Close

New York hospitals face new cybersecurity rules. Will other states follow?

REAL ECONOMY BLOG | December 22, 2023

Authored by RSM US LLP

According to the U.S. Department of Health and Human Services Office for Civil Rights, approximately 85 million patients have had their personal information compromised through the first nine months of 2023, compared with 38 million in the same time period in 2022 and 43.9 million in 2021. Nearly 25% of cyberattacks in 2022 targeted the health care industry and data security overall remains to be a challenge.

In an effort to combat these ongoing threats, New York Governor Kathy Hochul has proposed cybersecurity regulations applicable to all hospitals located within the state to address cybersecurity challenges.

The proposed regulations are aimed at strengthening hospital efforts at safeguarding systems and nonpublic information from cyber threats. The proposed rule would require hospitals to establish a cybersecurity program and take steps to assess internal and external risks. The rule was published in the state register on Dec. 6, with a 60-day comment period ending Feb. 5.

In addition, to aid hospitals, New York state will set aside $500 million in grant funding that organizations can access for technology upgrades, to hire resources, and to build effective training and testing programs.

Important considerations of the new rule

As numerous cyberattacks continue to plague the health care industry, it is imperative that hospitals and health systems take the measures necessary to prevent unauthorized access to their systems.

In New York, hospitals already have cybersecurity responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for cybersecurity. The proposed regulations are intended to complement and supplement the HIPAA security rule and would require hospitals to establish within its policies and procedures a cybersecurity program based on the hospital’s risk assessment.

The proposed rule includes for cybersecurity governance, technical controls and external reporting. While all of these requirements are subject to change through the comments process, the following areas could be the most challenging to comply with for many hospitals:

  • Conduct an annual risk assessment of the hospital’s potential risks and vulnerabilities.
  • Designate a chief information security officer, or CISO, to develop and enforce the hospital’s security policy and oversee the organizations cybersecurity program, including the annual approval of policies and presentation of risks to the governing bodies.
  • Implement adequate and documented incident response protocols.
  • Ensure that multi-factor authentication is used for external access to the hospital network.
  • Implement procedures for evaluating, assessing and testing the security of externally developed applications; and ensure the use of secure development practices for in-house developed applications.
  • Proposed notification requirements: a hospital’s CISO shall notify the department within two hours of determination that a cybersecurity incident has occurred.

In terms of the New York rule, hospitals will have one year to comply with the requirements once enacted; however, the obligation to report cybersecurity incidents to the New York State Department of Health would be effective immediately. Learn more about the requirements.

The state of New York has recognized a critical issue that hospitals have faced for many years and is now taking action to elevate the state’s hospital compliance standards that would enhance a hospital’s risk assessment program to safeguard and protect the sustainability of an organization.

The state is additionally willing to financially assist hospitals; however, the success of the newly proposed compliance standards will depend on careful implementation and support for hospitals navigating the evolving landscape.

Could other states follow?

In the first half of the year, more than 220 hospitals were affected by cyberattacks, according to the American Hospital Association. While New York is taking steps to address these growing threats, will other states follow?

“It is difficult to predict if other states will follow this example, but we can expect health systems across the country to look to the New York law as another guiding set of requirements,” says Gregory Vetter, principal at RSM US LLP. “Similar to regulations from other states or industries, a progressive security program will look for leading practices and requirements to include as part of their security framework. While New York state hospitals will be required to comply, I would expect many health systems in other states to monitor this closely and incorporate elements of the rule into their current program.”

Do you have questions or want to talk to a LaPorte professional?

Fill out the form below and we’ll contact you to discuss your situation.

  • Should be Empty:
  • Topic Name:

This article was written by Michael Haas and originally appeared on 2023-12-22.
2022 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

LaPorte CPAs & Business Advisors is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how LaPorte CPAs & Business Advisors can assist you, please call 713.548.2034.