New York Governor Kathy Hochul has proposed a slew of new cybersecurity regulations for hospitals in the state aimed at boosting their technology systems to protect from cyber threats.
The governor plans to allocate $500 million from its fiscal year 2024 budget to help hospitals upgrade their systems in line with the newly proposed measures.
The proposed rules announced on Monday act as a complement to the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule that safeguards patient data and records.
“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals. These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats,” Governor Hochul said in a statement.
The proposal will first be reviewed by New York’s Public Health and Health Planning Council this week. If approved, the regulations will be published in the State Register early next month for a 60-day period of public commentary. Once officially adopted, hospitals will have 1 year to comply with the finalized requirements.
New York State Chief Cyber Officer Colin Ahern highlighted the need to introduce cybersecurity regulations for hospitals in the state. “As hospitals face growing cyber threats, it is imperative that we enable them to defend against attacks and these draft regulations and financial commitment do just that. We look forward to receiving public feedback over the next 60 days before finalizing the regulations to support improved cyber defenses and resilience for hospitals statewide,” he said in a statement.
Under the proposed rules, hospitals will need to create their own cybersecurity programs, including written procedures, guidelines, and standards for safe use of software, evaluate cyber risks inside and outside of the organization, and establish defensive measures to protect their information systems from bad actors. One of these measures would be mandating hospital employees use multi-factor authentication for accessing internal networks from an external network.
Further, hospitals would need to develop response plans for potential cybersecurity incidents, perform test runs of those plans to make sure they can continue operations as they work to restore their systems from the attack, and outline how they plan to notify the appropriate government bodies if this happens. They’ll also need a Chief Information Security Officer who’ll be responsible for enforcing the new rules, review them every year, and update them if needed.
“Under Governor Hochul’s leadership, New York State has significantly enhanced its cyber defenses, which are critically important to our healthcare system. When we protect hospitals, we protect patients,” New York State Health Commissioner Dr. James McDonald said. “These nation-leading draft cybersecurity hospital regulations build on the Governor’s state of the state priority by helping protect critical systems from cyber threats and ensuring New York’s hospitals and health care facilities stay secure.”