New York State drafting proposed cybersecurity regulations for hospitals, allocates $500M for upgrades

November 22, 2023 | by

New York State is imposing new regulations that would establish cybersecurity policies and procedures for hospitals in the state. According to the NYS release, “hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.” The draft regulations, announced last week, will be published by the Department of Health on 6 December, and will complement existing Federal standards under HIPAA. 

The proposed regulations will mandate:

  • Response plans to a cybersecurity incident
  • Notification to appropriate partners
  • Testing of response plans to ensure continuity of patient care while systems are restored to normal operations
  • Written procedures, guidelines, and standards to develop secure practices for in-house applications
  • Policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital
  • Multi-factor authentication (MFA) implemented to access internal networks from outside networks
  • Establishment of a Chief Information Security Officer (CISO) if one doesn’t exist presently in order to enforce the new policies, plus annual reviews and updates 

The draft regulations are scheduled to be published on 6 December with a 60-day public comment period ending on 5 February 2024. After the finalization and adoption of the new regulations, hospitals have exactly one year to comply.

Included in the state’s FY24 budget is $500 million in funding for modernization of clinical tech, cybersecurity tools, EMRs and other technological upgrades. They will be part of an upcoming statewide capital program call for applications to improve quality of care, patient experience, accessibility, and efficiency. Given the size of NY state and number of hospitals, plus the time frame, this fund may be spread thin indeed. NYS release, MedCityNews

This Editor attended the Official Cybersecurity Summit New York 2023 last Friday, with a security briefing by NY State’s deputy chief cyber officer for operations, Jesse Sloman. He described the overall strategy of the state agency, the first ever, as building a unified, resilient, and prepared cybersecurity strategy across all agencies in the state, with a single point for operations including law enforcement, military, transportation, and of course healthcare. Certainly, internally instigated breaches, ransomware attacks, DDOS, and nation-state/transnational cyberattacks by Russian ransomwareistes like CLOP are expensive. He quoted a five-year loss of $27.6 billion with 3.2 million complaints–with 2022 alone costing $10.3 billion.

What’s his biggest concern? A multi-state, multi-sector geopolitical event that threatens multiple operations.

Could DocGo be another Babylon Health or Theranos? CEO resignation may be only the start of their troubles.

September 18, 2023 | by

Another ‘fake it till you make it’ healthcare enterprise? Only a short month ago, things were fair and warmer for DocGo. They had recently transitioned from a mobile Covid-19 testing company under various contracts back to their original purpose–a telehealth/RPM, mobile urgent care, disease management, and medical transportation provider, with mobile vans covering the NYC metro. Founded in 2015 by Stan Vashovsky, now chairman, new CEO Anthony ‘Al’ Capone had successfully leveraged their mobility into a $425 million no-bid contract with New York City to provide medical services and more for over 19,000 migrants flooding into the city and being housed in the surrounding upstate counties. The company also plumped that they were up for a multibillion-dollar Federal contract with the US Customs and Border Protection agency.

DocGo’s stumbles starting in July continuing into August in both medical and non-medical services to migrants housed upstate put them on the press radar, notably the capital’s paper of record, the Albany Times-Union, in the weeks after their bright Q2 report [TTA 10 Aug, 16 Aug].

On 14 August, some basic checking by the Times-Union uncovered that Mr. Capone’s masters in computer science from Clarkson University not only was never granted but also he never attended Clarkson, according to the university. This degree claim was included in the SEC filing and touted to investors by him as an MS in computational learning theory, a subset of artificial intelligence. His undergraduate degree from SUNY Potsdam was not confirmed by that university or by his spokesperson. Mr. Capone had worked for DocGo since 2017, previously serving as president, chief technology officer, and CPO, becoming CEO only this year. In nearly six years, no one had checked his credentials.

On Friday 15 Sept, Mr. Capone resigned from DocGo, citing typical ‘personal reasons’. His apology and taking ‘full responsibility’ did not save him. He has been replaced by Lee Bienstock, the company president and chief operating officer.  Mr. Bienstock came to DocGo from Google in 2022 and holds an MBA from Wharton (University of Pennsylvania). Times-Union 15 Aug, Release

But…there’s more.

  • The no-bid NYC contract was contested two weeks ago (6 Sept) by the city comptroller, Brad Lander. Mr. Lander, like a corporate CFO, can send back a contract to a city agency, in this case to Housing Preservation Development (HPD). His review cited insufficient budget detail, possible inadequacy of the vendor to provide services, and a few other important items. Unlike a CFO, Mr. Lander’s office is largely toothless and can’t say no. HPD plans to sign off on it anyway as DocGo is quite tight with Mayor Eric Adams. Mayor Adams spoke at the DocGo in-person Investor Day on Tuesday 20 June about their partnership with the city. Adams has already stated that “We are going to move forward with it.” FierceHealthcare  
  • According to the New York Post and Fortune, New York State Attorney General Letitia James and Gov. Kathy Hochul have launched investigations into the company, focusing on how DocGo could contract for logistical operations to transport, house, feed, and care for these thousands of migrants in New York State, an outcome of DocGo’s failures reported last month by the Times-Union.

DocGo is a public company traded on Nasdaq under DCGO. Share prices fell 12% on Mr. Capone’s resignation but rebounded to about 7% down off off the recent $10 high after their mid-August reporting.  Seeking Alpha  DocGo went public through the then-popular SPAC method with Motion Acquisition in November 2021, raising $158 million in cash at that time. Unlike other SPACs, their share price generally hovered around the introductory $10 pricing and recovered fairly quickly from two bad dips to $6 in May and December 2022. NS Medical Device

DocGo’s response to the AG’s office and to the comptroller, the politics of the New York State and City crisis around thousands of migrants flooding housing, the streets, and schools, whether their contracts continue, and their internal financials will determine DocGo’s viability in the future. For those of us with long memories though, DocGo is repeating a pattern: first Peak Hype Altitude, then the Pileup of Problems on their wings, finally crashing to Total Hull Loss. Those are the ominous parallels with Theranos and Babylon Health.