.svg){kind=icon}
.svg){kind=icon}
On October 2, 2024, the New York State Register published new hospital cybersecurity requirements for all general hospitals regulated under New York Public Health Law (PHL) Article 28. The new regulations include reporting requirements that go into effect immediately. Hospitals have until October 2, 2025 to meet other compliance requirements, which range from creating a cybersecurity program to implementing penetration testing (pentesting), scans, and vulnerability mediations.
In this blog, we'll summarize what you need to know about the new regulations. We'll cover:
- Why New York hospitals need cybersecurity standards
- What the new regulations require
- Recommended steps for achieving compliance
- How to get started meeting compliance deadlines
Why Do New York Hospitals Need Cybersecurity Standards?
In October, American Hospital Association National Advisor for Cybersecurity and Risk John Riggi reported there had been 386 healthcare cyberattacks so far in 2024. This kept pace with 2023, the worst year to date for healthcare breaches. Data theft and ransomware attacks against healthcare providers and mission-critical third-party providers are increasing. Both criminal groups and hostile nation states have participated in these attacks. In response, the Department of Health and Human Services (HHS) has worked with the healthcare and public health sector to create voluntary Cybersecurity Performance Goals (CPG).
The New York Governor's office referenced these trends when announcing the new cybersecurity regulation proposal last year. The announcement described the new regulations as an effort to assist state hospitals in establishing policies and procedures to protect healthcare systems from increasing cyber threats. The proposed budget accompanying the announcement requested $500 million to cover the costs of upgrading hospital technology systems to achieve compliance. The published regulations estimate that compliance costs will range from $50,000 for small hospitals to $2 million for large providers.
What Are the New York Hospital Cybersecurity Requirements?
The text of the New York hospital cybersecurity requirements includes obligations for hospitals to create cybersecurity programs, assess risk, implement defenses, protect systems, and prevent threats. The various sections of the regulations:
- Identify all New York general hospitals as subject to the requirements
- Define terms and language used in the requirements
- Require hospitals to create a cybersecurity program consistent with specified protocols, procedures, and core functions
- Prescribe cybersecurity policies general hospitals must create and topics that should be considered after performing risk assessment
- Compel general hospitals to designate a chief information security officer (CSO)
- Lay out requirements for testing and vulnerability assessments
- Outline audit trails and records maintenance and retention requirements
- Delineate requirements for cybersecurity risk assessments and related policies and procedures
- Enact requirements for cybersecurity personnel
- Implement policies for third-party cybersecurity service providers
- Set up requirements for identity and access management
- Introduce requirements for cybersecurity training and monitoring
- Erect requirements for cybersecurity incident response plans
- Institute incident reporting requirements
- Refer to confidentiality and applicability of New York State and U.S. federal statutes
- Obligate general hospitals to achieve full compliance within one year of adoption and to begin reporting cybersecurity incidents to the New York State Department of Health immediately
- State that if any provisions of a section are found to be invalid, it shall not affect or impair the validity of other provisions in the section
The full text of the regulations includes a regulatory impact statement, flexibility analyses for small businesses, local governments, and rural areas, and responses to public comments on the legislative language.
Key Technical Requirements
From a technical cybersecurity perspective, several sections of the requirements contain noteworthy provisions. These include:
- Cybersecurity program requirements
- Cybersecurity policy requirements
- Testing and vulnerability assessment requirements
- Identity and access management requirements
- Incident response plan requirements
- Cybersecurity personnel requirements
- Third-party cybersecurity provider requirements
Here are some highlights:
Cybersecurity Program Requirements
The requirements direct hospitals to create cybersecurity programs based on risk assessments. The programs must fulfill six key functions:
- Identifying and assessing internal and external cybersecurity risks that may threaten security or integrity of nonpublic information or hospital operational continuity
- Protecting hospital information systems, information, and operational continuity from unauthorized access, use, or malicious acts by deploying security policies, procedures, and defensive infrastructure
- Detecting cybersecurity events
- Responding to identified or detected events to mitigate negative effects
- Recovering from cybersecurity incidents and restoring normal services
- Meeting statutory and reporting obligations
Programs must include procedures and policies to limit access privileges to systems storing nonpublic information. Access privilege policies and procedures must comply with state and federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA).
Hospitals must include written, guidelines, and standards for secure development of in-house apps and evaluation of externally developed apps. These must be reviewed annually by the CISO or their designee.
Programs must include policies for periodic disposal of information that does not need to be stored for regulatory reasons.
Hospitals must implement security measures and controls such as encryption to protect data in transit and at rest. Where encryption is unfeasible, compensating controls must be deployed and reviewed annually.
Finally, hospital security programs must implement controls to mitigate email security risks such as spoofing, phishing, and fraud. These controls must be reviewed annually.
Cybersecurity Policy Requirements
The regulations require hospital cybersecurity policies to cover the following topics, at a minimum:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Patient data privacy
- Vendor and third-party service provider management
- Risk assessment
- Training and monitoring
- Overall incident response
Hospitals are responsible for developing, maintaining, implementing, and enforcing policies. Hospital governing bodies are responsible for approving policies recommended by the CISO.
Testing and Vulnerability Assessment Requirements
The regulations require hospital cybersecurity programs to include monitoring and testing of security measures to assess their effectiveness and maintain defenses against emerging vulnerabilities. Monitoring and testing must include at a minimum:
- Annual pentesting of information systems by qualified internal or external parties
- Automated scans or manual or automated reviews of information systems to identify known vulnerabilities
- Timely, risk-based remediations
Monitoring and testing procedures should be developed in accordance with hospital risk assessments.
Identity and Access Management Requirements
The regulations require hospitals to implement various identity and access management safeguards. These include:
- Multi-factor authentication, risk-based authentication, or compensating controls
- Limiting user access privileges to data necessary for performing work functions
- Periodic deactivation of unnecessary accounts
- Disabling or secure configuration of device remote controls
Hospitals must periodically review account access privileges at least once a year.
Incident Response Plan Requirements
Hospitals must develop written response plans for handling cybersecurity incidents. These must include requirements for remediating identified weaknesses and procedures for managing mitigations, downtime, and contingencies.
Cybersecurity Personnel Requirements
Hospitals must ensure the performance of core cybersecurity plan requirements by utilizing qualified personnel or third-party service providers.
Third-party Cybersecurity Provider Requirements
Hospitals that contract third-party service providers must implement written procedures for assessing third-party qualifications and practices. Third-party guidelines and contracts must address access controls, encryption, disclosure of third-party cybersecurity incidents that compromise hospital security, and representations and warranties.
Recommended Steps for Complying with New York Hospital Cybersecurity Requirements
To start working toward implementation of the new requirements, we recommend that all New York general hospitals take the following steps:
- Immediately implement cybersecurity incident reporting procedures
- Hire a CISO to supervise your cybersecurity plan
- Conduct pentesting to assess information system vulnerabilities
- Conduct a HIPAA compliance assessment
Cybersecurity reporting is already mandatory as of October 2, 2024. The other steps need to be implemented as soon as possible in order to ensure that you achieve all compliance requirements by the beginning of October 2025, now only ten months away. Note that New York State has made funding available for hospitals to help achieve compliance with the new cybersecurity requirements. Initial funding grant applications were offered through the portal for the Statewide Health Care Facility Transformation Program IV and V Health Information Technology, Cybersecurity, and Telehealth Transformation. The initial deadline for funding applications closed March 28, 2024, but check the portal periodically for updates.
Get Help Meeting New York Hospital Cybersecurity Requirements from Cobalt
New York hospitals face a long list of requirements that must be met in a short time, which can seem daunting. But the sooner you start, the better. With many providers, scheduling pentests can be a time-consuming process. Fortunately, Cobalt's user-friendly platform makes it easy to set up network security testing in as little as 24 hours or 3 business days. Our platform lets your security team collaborate with our team of experts to set up continuous security testing and pentesting as a service (PtaaS), tailored to your requirements. We're experienced helping hospitals comply with HIPAA and other major security standards. Contact us today to get a head start on meeting next October's compliance deadline.
