N.Y. hospitals face stiff cybersecurity requirements under proposed rules

The proposed rules, which would require the reporting of material cyber incidents within two hours, are designed to strengthen the cybersecurity of hospitals and their networks, said New York Gov. Kathy Hochul in a press release Monday.

Complying with the proposed rules would initially cost hospitals tens of thousands or tens of millions of dollars, according to the draft rules, which noted program maturity as a dictating factor. Hospitals would be allowed to subcontract for cybersecurity services.

Hochul said she included $500 million in her fiscal year 2024 budget to help hospitals comply with the rules and upgrade cybersecurity generally.

The proposed regulations follow the state’s release of a cybersecurity strategy in August and updated cybersecurity regulations for financial institutions earlier this month.

Hospitals would be mandated to have a chief information security officer to create, guide, and enforce cybersecurity policies.

Hospitals would have to establish defensive infrastructure and procedures to protect against cybersecurity attacks and unauthorized access to information. They would also have to regularly assess their internal and external risks of a cyberattack, Hochul said.

Cybersecurity programs would include written guidelines, standards, and procedures for securing computer programs used or created in-house by a hospital. Hospitals would have policies and procedures for evaluating and testing computer programs created externally.

Hospitals would have at least two-factor authentication in place for anyone authorized to access their network externally.

Hospitals would have response plans in place in case of a cybersecurity incident that include the ability to continue to provide patient care. The plans would have to be tested, Hochul said.

The proposed rules will be considered by the Public Health and Health Planning Council. If adopted, they will be subject to a 60-day comment period, ending Feb. 5. Hospitals would have a year to come into compliance, if the rules are finalized.

New York’s requirements would be a complement to rules under the Health Insurance Portability and Accountability Act’s Security Rule, Hochul said.

“Our interconnected world demands an interconnected defense against cyberattacks, leveraging every resource available, especially at hospitals,” she said. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”