New York hospitals face new cybersecurity rules. Will other states follow?

REAL ECONOMY BLOG | December 22, 2023

Authored by RSM US LLP

According to the U.S. Department of Health and Human Services Office for Civil Rights, approximately 85 million patients have had their personal information compromised through the first nine months of 2023, compared with 38 million in the same time period in 2022 and 43.9 million in 2021. Nearly 25% of cyberattacks in 2022 targeted the health care industry and data security overall remains to be a challenge.

In an effort to combat these ongoing threats, New York Governor Kathy Hochul has proposed cybersecurity regulations applicable to all hospitals located within the state to address cybersecurity challenges.

The proposed regulations are aimed at strengthening hospital efforts at safeguarding systems and nonpublic information from cyber threats. The proposed rule would require hospitals to establish a cybersecurity program and take steps to assess internal and external risks. The rule was published in the state register on Dec. 6, with a 60-day comment period ending Feb. 5.

In addition, to aid hospitals, New York state will set aside $500 million in grant funding that organizations can access for technology upgrades, to hire resources, and to build effective training and testing programs.

Important considerations of the new rule

As numerous cyberattacks continue to plague the health care industry, it is imperative that hospitals and health systems take the measures necessary to prevent unauthorized access to their systems.

In New York, hospitals already have cybersecurity responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for cybersecurity. The proposed regulations are intended to complement and supplement the HIPAA security rule and would require hospitals to establish within its policies and procedures a cybersecurity program based on the hospital’s risk assessment.

The proposed rule includes for cybersecurity governance, technical controls and external reporting. While all of these requirements are subject to change through the comments process, the following areas could be the most challenging to comply with for many hospitals:

• Conduct an annual risk assessment of the hospital’s potential risks and vulnerabilities.
• Designate a chief information security officer, or CISO, to develop and enforce the hospital’s security policy and oversee the organizations cybersecurity program, including the annual approval of policies and presentation of risks to the governing bodies.
• Implement adequate and documented incident response protocols.
• Ensure that multi-factor authentication is used for external access to the hospital network.
• Implement procedures for evaluating, assessing and testing the security of externally developed applications; and ensure the use of secure development practices for in-house developed applications.
• Proposed notification requirements: a hospital’s CISO shall notify the department within two hours of determination that a cybersecurity incident has occurred.

In terms of the New York rule, hospitals will have one year to comply with the requirements once enacted; however, the obligation to report cybersecurity incidents to the New York State Department of Health would be effective immediately. Learn more about the requirements.

The state of New York has recognized a critical issue that hospitals have faced for many years and is now taking action to elevate the state’s hospital compliance standards that would enhance a hospital’s risk assessment program to safeguard and protect the sustainability of an organization.

The state is additionally willing to financially assist hospitals; however, the success of the newly proposed compliance standards will depend on careful implementation and support for hospitals navigating the evolving landscape.

Could other states follow?

In the first half of the year, more than 220 hospitals were affected by cyberattacks, according to the American Hospital Association. While New York is taking steps to address these growing threats, will other states follow?

“It is difficult to predict if other states will follow this example, but we can expect health systems across the country to look to the New York law as another guiding set of requirements,” says Gregory Vetter, principal at RSM US LLP. “Similar to regulations from other states or industries, a progressive security program will look for leading practices and requirements to include as part of their security framework. While New York state hospitals will be required to comply, I would expect many health systems in other states to monitor this closely and incorporate elements of the rule into their current program.”