Breach Notification , Government , Healthcare
New York State Enacts New Cyber Requirements for Hospitals
Includes 72-Hour Incident Reporting Mandate That Went into Effect on Oct. 2General hospitals in New York State must now report "material" cybersecurity incidents - such as ransomware attacks - to the state's department of health within 72 hours under new cybersecurity requirements that went into effect on Oct. 2. The hospitals have until October 2025 to also comply with a long list of other cyber mandates.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Other requirements include appointing a CISO, establishing a comprehensive program for risk assessment, response, recovery, and data protection, and implementing multifactor authentication.
Right now the state counts about 195 facilities as "general hospitals" that are subject to the new regulations. Under New York State law, "general hospitals" are institutions that "provide medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a twenty-four hour basis with provisions for admission or treatment of persons in need of emergency care."
The new cyber regulations do not apply to facilities such as nursing homes, public health centers, diagnostic centers, treatment centers and various outpatient care facilities. Some hospitals, such as Veterans Affairs facilities, are also currently excluded from the new regulations.
The final regulations include a few changes from the original proposal last year - most notably extending the incident response reporting requirement from two hours to 72 hours (see: NY State Eyes New Cyber Regs for Hospitals; $500M Price Tag).
"The purpose of this regulation is to ensure continued functioning of patient care and hospital operations," said the final regulations published on Oct. 2 in the state register.
"The 72-hour timeframe has been defined specifically for material incidents, and reporting within this time will allow the department to setup health emergency response and limit exposure to other NYS entities," the regulations said.
A reportable cybersecurity incident is defined as having material adverse impact on the normal operations of the hospital; having a reasonable likelihood of materially harming any part of the normal operations of the hospital; or involving the deployment of ransomware within a material part of the hospital’s information systems.
The 72-hour reporting deadline will be a challenge, especially given the broad definition of a "cybersecurity incident" under the regulations, said regulatory attorney Jennifer Kreick, a partner at the law firm Haynes Boone.
"These kinds of security incidents - such as ransomware attacks - often take place over a weekend or holiday when staffing is low, making it even more difficult to respond quickly," she said.
"There is often very limited information available early on as to exactly what information and systems may have been accessed or impacted and the ultimate effect on the organization, so the date that the organization made the 'determination' of such incident will also create challenges," she said.
The key for general hospitals will be to have a strong security incident response plan and a team in place to respond quickly and document the incident appropriately, she suggested.
While the previously proposed two-hour reporting requirement was certainly more challenging than the newly enacted 72-hour notification requirement, "complying with the timing components of a notification obligation typically comes down to the same issues," said regulatory attorney Brad Rostolsky of the law firm Greenberg Traurig.
"If a general hospital institutes appropriate compliance protocols internally, work force members who first become aware of a cyber incident will notify the hospital’s privacy or security officer as soon as possible," he said. At that point, the notification to the state is more about the act of notifying than what the notification contains, he said. "Often, regulated entities will want to learn as much as they can about a potential incident."
Under federal HIPAA regulations, covered entities have 60 days to report to the U.S. Department of Health and Human Services upon discovery of protected health information breaches affecting 500 or more individuals.
Even that longer timeline has often proven to be difficult for some organizations investigating major breaches and cyberattacks (see: Lawmakers: UHG Violating HIPAA Breach Notification Rule).
Other Requirements
Until now, New York State did not have any state cybersecurity requirements for the safeguarding and security of patients’ protected health information and personally identifying information.
Nonetheless, the new state regulations "mirror standards implemented in 2017 for financial services companies doing business in New York," said privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"We in the healthcare industry cannot continue to bury our heads in the sand relying on the self-regulation has not been effective in safeguarding information systems from cybersecurity risk," he said.
The new NYS regulations also are intended to supplement the HIPAA Security Rule requirements, the state said.
Violation of any health law or regulation in New York State - including non-compliance with the cyber regulations - is subject to penalty, a department of health spokeswoman told Information Security Media Group. "But to be clear, financial penalties are not the intent of these regulations. The intent is to ensure health facilities have the resources and guidance to protect against cyberattacks," she said.
Other hospital cyber requirements under new regulations include:
- Designating a CISO - either employed directly by the hospital or as an employee of a third-party firm;
- Conducting an accurate and thorough annual security risk assessment of the hospital’s systems;
- Implementing a detailed, comprehensive cybersecurity risk program;
- Conducting regular cybersecurity testing, including scans and penetration testing;
- Maintaining systems to include audit trails designed to detect and respond to cybersecurity events;
- Implementing multifactor authentication for external facing systems;
- Limiting the use of privileged accounts to only when performing functions requiring the use;
- At a minimum annually, reviewing all user access privileges and removing or disabling accounts and access that are no longer necessary;
- Establishing a detailed incident response plan;
- Providing regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the hospital in its risk assessment, which may include annual phishing exercises and remediation for employees.
Facilities may need to hire or contract additional information technology staff to ensure compliance with the new regulations, the state said.
"These regulations will ensure all hospitals develop, implement and maintain minimum cybersecurity standards, including cybersecurity staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response, appropriate reporting protocols and records retention," the regulations said.
The explosion of cyberattacks on the healthcare sector - including facilities in New York - was a key driver in adopting the regulations.
"The department in 2023 has responded to more than one cybersecurity incident per month, several of which have forced hospitals to go on diversion, stopped their billing procedures, and required facilities to operate on downtime procedures. which can severely hamper the care delivery process," the regulations said. "Over 225,000 patients had data possibly compromised in one breach alone."
But it is uncertain whether the new hospital requirements will make the sort of improvement that regulators hope to see for overall healthcare cybersecurity in the state, some experts said.
"Hospitals tend to be more regulated and have a more advanced security posture than other healthcare industry participants that are not covered by these regulations, such as physician practices, ambulatory surgical centers or nursing homes," Kreick said.
"The limited scope of the law also limits its impact, as patients move through the healthcare system to other providers."
New York State regulators will evaluate any potential changes to the mandates looking ahead, said the department of health spokeswoman.
"The regulations are designed to ensure that appropriate cybersecurity controls are in place to protect the part of the healthcare delivery system, which acts as a backstop to all other healthcare providers. The department will continue to assess the healthcare sector's cyber security stance."
The enactment of the New York state cyber regulations also comes as federal regulators are hammering out an update to the HIPAA Security Rule and potentially new cybersecurity mandates that are also expected to apply at least initially to hospitals (see: Will Upcoming HHS Cyber Regs Move Needle in Health Sector?.
NYS estimates that the new requirements will annually cost small hospitals with fewer than 10 beds between $50,000 and $200,000; medium sized hospitals with 10 to 100 beds between $200,000 and $500,000; and large hospitals with more than 100 beds about $2 million.
New York State has approved $500 million in funding to help hospitals comply with the new requirements. "A statewide grant application was released earlier this year. Applications submitted are currently under review for consideration of funding," a NYS health department spokeswoman said.
Insurance experts are also evaluating the potential impact of the new state requirements on cyber coverage policies.
"The new regulations highlight the cyberthreat to the healthcare industry and the risks the face in relation to the significant amount of sensitive and financially lucrative healthcare information that they collect," said insurance attorney Peter Halprin of the law firm Haynes Boone.
"From an insurance standpoint, the specter of these threats highlights the benefit of cyber insurance as a risk mitigation and bottom-line protection tool."