New York State is imposing new regulations that would establish cybersecurity policies and procedures for hospitals in the state. According to the NYS release, “hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.” The draft regulations, announced last week, will be published by the Department of Health on 6 December, and will complement existing Federal standards under HIPAA.
The proposed regulations will mandate:
- Response plans to a cybersecurity incident
- Notification to appropriate partners
- Testing of response plans to ensure continuity of patient care while systems are restored to normal operations
- Written procedures, guidelines, and standards to develop secure practices for in-house applications
- Policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital
- Multi-factor authentication (MFA) implemented to access internal networks from outside networks
- Establishment of a Chief Information Security Officer (CISO) if one doesn’t exist presently in order to enforce the new policies, plus annual reviews and updates
The draft regulations are scheduled to be published on 6 December with a 60-day public comment period ending on 5 February 2024. After the finalization and adoption of the new regulations, hospitals have exactly one year to comply.
Included in the state’s FY24 budget is $500 million in funding for modernization of clinical tech, cybersecurity tools, EMRs and other technological upgrades. They will be part of an upcoming statewide capital program call for applications to improve quality of care, patient experience, accessibility, and efficiency. Given the size of NY state and number of hospitals, plus the time frame, this fund may be spread thin indeed. NYS release, MedCityNews
This Editor attended the Official Cybersecurity Summit New York 2023 last Friday, with a security briefing by NY State’s deputy chief cyber officer for operations, Jesse Sloman. He described the overall strategy of the state agency, the first ever, as building a unified, resilient, and prepared cybersecurity strategy across all agencies in the state, with a single point for operations including law enforcement, military, transportation, and of course healthcare. Certainly, internally instigated breaches, ransomware attacks, DDOS, and nation-state/transnational cyberattacks by Russian ransomwareistes like CLOP are expensive. He quoted a five-year loss of $27.6 billion with 3.2 million complaints–with 2022 alone costing $10.3 billion.
What’s his biggest concern? A multi-state, multi-sector geopolitical event that threatens multiple operations.