In May 2024, the New York State Department of Health (“NYSDOH”) issued revisions to proposed regulations on hospital cybersecurity that it first released in November 2023. The proposed revised regulations are subject to public comment ending on July 1, 2024, and would apply to general hospitals licensed under Article 28 of the NYS Public Health Law.
NYSDOH proposed the initial regulations in the aftermath of several high-profile cybersecurity breaches affecting hospitals and health systems. The initial regulations were designed to ensure that covered hospitals maintain a minimum baseline of cybersecurity controls for safeguarding protected health information. For example, the regulations sought to require that hospitals establish a cybersecurity program designed to perform core functions of identifying, assessing, and defending against internal and external risks that may threaten the security or integrity of nonpublic information or information systems, as well as responding to and recovering from cybersecurity events. Those programs would need to be adopted in accordance with the hospital’s risk assessment and applicable law and managed by qualified cybersecurity personnel or a third-party service provider.
After a round of public comments, NYSDOH revised its proposed regulations to focus on ensuring the continuity of hospital operations and to respond to concerns voiced in the comment period. One of the most stringent provisions in the initial regulations was the requirement that hospitals report cybersecurity incidents that involved ransomware deployment or that could have or did have a material adverse impact on the hospital’s operations to NYSDOH within two hours after determining that an incident occurred. After industry push back in the comment period, NYSDOH relaxed that timeframe to 72 hours.
Additional requirements would require hospitals to:
- Designate a Chief Information Security Officer (CISO) who will be responsible for recommending the hospital’s cybersecurity program for approval by the hospital’s governing body and generally overseeing the cybersecurity program. NYSDOH indicated, in response to commenter questions, that a hospital’s governing body would be required to determine whether a single CISO can handle multiple hospitals within the organization’s network based on its risk assessment and organizational structure or if separate CISOs are needed for each hospital.
- Implement written policies and procedures that address various cyber areas including but not limited to information security, data governance, network security and monitoring, incident response, business continuity, access controls, vendor and third-party service provider management, and employee training.
- Extend the applicability of cybersecurity functions and protections to cover so-called “nonpublic information” which is broader than information subject to HIPAA and also covers a hospital’s confidential business-related information in addition to identifying information.
- Implement specific security controls to address and mitigate risks from electronic mail-based cyber threats (such as business email account compromises due to phishing and email spoofing).
- Adhere to user access and privilege requirements to limit access to information systems containing nonpublic information, minimize the number of privileged accounts that can perform security governance functions, and review and maintain access privileges and controls in a timely manner (including in response to events like employee departures).
- Perform annual risk assessments of potential risks and vulnerabilities to the confidentiality, integrity, and availability of nonpublic information and information systems sufficient to inform the design of the cybersecurity program.
- Perform penetration testing and vulnerability assessments consistent with a hospital’s risk assessment at least annually.
- Use risk-based authentication, such as multifactor authentication, or other compensating controls to access the hospital’s internal network from an external network and generally to protect against unauthorized access to nonpublic information.
- Maintain records pertaining to systems design, security, and maintenance and to audit trails that can detect and respond to cybersecurity threats that have a reasonable likelihood of materially harming any material part of the hospital’s operations, for at least six years.
While many of the requirements are considered best practice recommendations or otherwise exist under laws like HIPAA, organizations should evaluate their cybersecurity policies and procedures to ensure compliance with the new requirements. If adopted, hospitals would have one year from the effective date to comply with the new requirements; however, the obligation to report cybersecurity incidents to NYSDOH within 72-hours would take effect immediately.