NY State Eyes New Cyber Regs for Hospitals; $500M Price TagProposals Require a CISO, Strong Cyber Controls, 2-Hour Incident Reporting Window
New York State will soon seek public comment on sweeping new cybersecurity regulations for hospitals, including a two-hour window for reporting major breaches. The proposed rules would come with $500 million in requested funding to help the providers step up their security investments to comply with the new requirements.
The draft proposals include requirements for hospitals' cybersecurity programs, incident response plans and risk assessments; controls, such as the use of multifactor authentication and encryption; and security risk management for third-party-developed software.
The proposed state regulations also would require hospitals to establish a CISO role, if one does not exist already, to enforce the newly mandated policies and to annually review and update them as needed.
"Our interconnected world demands an interconnected defense against cyberattacks, leveraging every resource available, especially at hospitals," said New York Gov. Kathy Hochul, who announced the proposals on Nov. 13, calling them a "nation-leading blueprint" for cyber resiliency.
Healthcare organizations would be required to notify the state within two hours of discovering an incident that may have a material adverse impact on the normal operations of the hospital or have reasonable likelihood of materially harming any material part of the normal operation of the facility or result in the deployment of ransomware within a material part of the hospital's information systems.
The proposals are set to be published in the New York State Register on Dec. 6, followed by 60 days of public comment, ending Feb. 5, 2024.
Funding for Proposals
To help hospitals pay for complying with the proposed cybersecurity rules, the New York State Health Department is issuing a request for a new $500 million healthcare technology capital program, the statement said. Funding for the program was appropriated in the state's fiscal 2024 budget, with the intention of supporting facilities' technological needs, including for cybersecurity purposes.
"It is both economically and technologically feasible for hospitals to become compliant with the proposed regulations," the draft proposal states. "There currently exists a significant amount of technology and software which can be licensed or purchased to provide network monitoring, notification, staff training and exercises and multifactor or risk-based authentication, among others."
Economically, it will be easier for hospitals that are part of large healthcare systems or are located in urban areas to comply with the proposed regulations than it may be for smaller or more rural facilities, the draft said. "This is due to the fact that the larger facilities and systems may already have aspects of the regulations," it said.
The costs for the program will vary depending on the level of preparedness of each hospital, the draft said. Facilities that have less mature cybersecurity programs and require significant development may require initial funding of $250,000 to $10 million, the state estimated.
The state estimated the ongoing annual costs for small hospitals that have fewer than 10 acute care or ICU beds to be $50,000 to $200,000. There are 15 such hospitals in the state.
For medium-sized hospitals - those with between 10 and 100 beds - the state estimated ongoing costs of $200,000 to $500,000. There are 62 such hospitals in the state.
For New York State's 114 large hospitals - defined as those having more than 100 beds - the state estimated ongoing annual costs of $2 million. "Facilities may be able to purchase equipment or services from state contract lists where appropriate and applicable. Facilities also will be able to contract with appropriate third-party vendors or contractors to help ensure compliance with the proposed regulations," the draft proposal said.
State funding to help hospitals meet the new proposed requirements is critical, said privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
Multiple surveys have shown that healthcare institutions are under significant financial stress due to a number of factors that have affected revenue - including the COVID-19 epidemic, reductions in Medicare and Medicaid reimbursement rates, and rising labor and material costs," he said.
"These factors have reduced funds available for investment in the people and technologies needed to keep up with the cybersecurity and ransomware threats to information systems," he said.
The New York State Public Health and Health Planning Council reviewed the draft regulations last week and discussed them during a public hearing on Thursday. Some council members expressed interest in potentially including other types of healthcare facilities - such as nursing homes, community health centers, dialysis centers and ambulatory surgery centers - in the regulatory effort.
But for now, as written, the draft proposals pertain to "all general hospitals licensed pursuant to Article 28" of New York's Public Health Law.
"The department will then need to assess all of the public comments before bringing the regulation back to PHHPC for final approval," a spokeswoman for the Department of Health told Information Security Media Group.
Currently in New York, there are no state cybersecurity requirements for the safeguarding and security of patients' protected health information and personal identifiable information, the draft proposal says.
"New Yorkers seeking medical care have no guaranteed minimum levels of protection of their information. As a result of this, there have been several high-profile cybersecurity breaches at facilities across the state which have resulted in not only a loss of patient financial and health data, but in some cases has also delayed care" the draft proposal says.
The draft says the cybersecurity program hospitals must establish "shall be designed to supplement HIPAA and shall not replace any provisions of the HIPAA Security Rule or any existing patient protections afforded and mandated under HIPAA."
While hospitals - like other HIPAA-covered entities in New York - already must comply with federal regulations, the proposed state requirements up the game, some experts say.
If the proposals are adopted, the New York Health Department will be mirroring what the New York Department of Financial Services has been doing for the past few years: enhancing and expanding on federal regulations for additional state oversight of cybersecurity in critical sectors, said Mike Hamilton, founder and CISO of security firm Critical Insight.
"This would augment the federal initiatives secure by design, the software bill of materials, and IoT security labeling," Hamilton said. "These requirements would create more of a state-level responsibility to perform control audits and move some of the responsibility from Health and Human Services to provide scalability to these audits that a federal agency cannot achieve."
The availability of grant funding to the hospitals will be focused on technology upgrades, "as technical debt and the associated vulnerabilities are known to be a primary exploitation vector for threat actor initial access in the healthcare sector," Hamilton said.
"The funding and how it will be adjudicated is also similar to the federal, state and local cybersecurity grant program, which is embedded in the bipartisan infrastructure law - although at a much higher level of investment - and the application process developed for the first round of that grant may be reused for the healthcare sector," he said.
Overall, New York's proposed regulations can be described as an effort to set objective administrative and technical standards to address threats and vulnerabilities to information and medical technology prevalent in the current healthcare environment, Holtzman said.
"These proposed regulations are meant to support and supplement the HIPAA Security Rule standards, bringing approaches that were appropriate for the 1990s into the 21st century."