Governor Kathy Hochul has released new cybersecurity requirements for hospitals in New York, requiring that they implement minimum cybersecurity controls to safeguard protected health information and avoid delays in care as a result of cybersecurity events. The proposed regulations would require hospitals to develop, implement and maintain a cybersecurity program that includes minimum cybersecurity standards, cybersecurity staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response and appropriate reporting protocols, and records retention.
Recognizing that an effective cybersecurity program will require significant startup costs and ongoing annual costs to maintain, the governor has announced that the $500 million in funding for health technology and cybersecurity in the Statewide Health Care Facility Transformation Program V, enacted as part of the FY24 budget, will be used to assist hospitals in meeting the requirements of these regulations.
The proposed regulations were reviewed by the Public Health and Health Planning Council and will formally be published in the State Register on December 6 and subject to a public comment period prior to being adopted. Once adopted, hospitals will have one year from the effective date to implement and comply with the new regulations.
As proposed, all hospitals will be required to comply with the following requirements:
- Conduct an accurate annual risk assessment of the hospital’s potential risks and vulnerabilities to the confidentiality, integrity and availability of nonpublic information held by the hospital
- Establish within its policies and procedures a cybersecurity program based on the hospital’s risk assessment, designed to:
- Identify and assess internal and external cybersecurity risks
- Use defensive infrastructure to protect the hospital’s information systems
- Detect cybersecurity events
- Respond to detected cybersecurity events to mitigate any negative effects
- Recover from cybersecurity events and incidents and restore normal operations
- Establish a chief information security officer (CISO) role, to be held by someone who may be an employee of the hospital or an employee of a third party or a contract vendor
- Monitor and test the cybersecurity program, which must include penetration testing of the hospital’s information systems by a qualified internal or external party at least annually
- Maintain systems to include audit trails designed to detect and respond to cybersecurity events and maintain those records for a minimum of six years
- Use qualified cybersecurity personnel of the hospital, an affiliate or a third-party service to manage the hospital’s cybersecurity risks and oversee the performance of the core cybersecurity functions
- Establish policies to ensure the security of information systems and nonpublic information that are accessible by third-party service providers
- Use multifactor authentication, risk-based authentication or another compensating control to protect against unauthorized access to nonpublic information and for any individual accessing the hospital’s internal networks from an external network
- Implement risk-based policies and controls to monitor the activity of authorized users and detect unauthorized access or use of nonpublic information
- Provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified in any risk assessment
- Establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity incident materially affecting the hospital’s information systems or the functionality of any aspect of the hospital’s business or operations
- Notify the Department of Health within two hours of a determination that a cybersecurity incident has occurred and has had a material adverse impact on the hospital
Please contact a member of the Manatt team with any questions regarding these new requirements. Manatt’s multidisciplinary privacy and data security practice spans the spectrum of cybersecurity services, including proactive assessments, program development, incident preparedness, reactive incident responses, regulatory inquiries and investigations, and litigation defense. For more information about Manatt’s privacy and data security practice, please visit Privacy and Data Security - Manatt, Phelps & Phillips, LLP.