NY Proposes Tightened Cybersecurity Regulations For Hospitals

November 13, 2023 - New York Governor Kathy Hochul proposed a set of sweeping cybersecurity regulations that would apply to hospitals across the state, along with $500 million in funding to help healthcare facilities upgrade their technology systems to meet the requirements of the proposed rules.

The regulations, the text of which will be published in the State Register on December 6 pending adoption by the Public Health and Health Planning Council this week, will require hospitals to implement defensive infrastructure to prevent cyberattacks and develop incident response plans.

Additionally, New York hospitals will be required to establish a Chief Information Security Officer (CISO) role if not already in place, and to use multi-factor authentication. What’s more, hospitals will have to establish policies for evaluating and testing the security of third-party applications used by the hospital and run tests of their incident response plans to ensure that patient care continues amid a disruption.

"Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” Hochul stated.

"These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

The announcement follows a year of relentless cyberattacks against healthcare organizations, including those in New York. According to the HHS Office for Civil Rights (OCR), 77 percent of healthcare data breaches reported to HHS this year were attributed to hacking. This differs greatly from historical data – just 49 percent of the breaches reported to HHS between 2009 and 2022 were attributed to hacking.

Hochul’s office framed the proposed rules as a “complement” to the HIPAA Security Rule, which contains many of the same requirements, albeit intentionally less prescriptive. The proposed regulations for New York appear to be more mandate-based, outlining specific requirements that New York hospitals must follow.

The $500 million in funding will be available for New York healthcare organizations to apply for in the near future and will go toward modernizing healthcare facilities as well as advancing cybersecurity tools, clinical technologies, and other technology upgrades.

“When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York’s aggressive and comprehensive whole-of-state approach,” said Dru Rai, New York state’s chief information security officer.

“We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state’s hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York.”

Once the regulations are published in the State Register, there will be a 60-day public comment period to allow stakeholders to provide their input. If finalized, hospitals will have one year to come into compliance with the new regulations.