New York Governor, Kathy Hochul, recently announced proposed cybersecurity rules for New York hospitals, which are due to be imminently published in the State Register on December 6, 2023, subject to approval by the Public Health and Health Planning Council. The Governor’s press release indicates the proposed regulations, if enacted, will require New York hospitals to meet at least the following requirements:
- Establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks;
- Develop a response plan for potential cybersecurity incidents, including notification to the appropriate parties;
- Run tests of the response plan to ensure that patient care continues while systems are restored back to normal operations;
- Adopt written procedures, guidelines, and standards to develop secure practices for in-house applications;
- Establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital;
- Designate a Chief Information Security Officer to enforce these policies and to annually review and update them as needed; and
- Use multi-factor authentication to access the hospital’s internal networks from an external network.
The proposed regulations have not officially been published, but the text currently under consideration by the Public Health and Health Planning Council is available here (see pages 31-62). Once the proposed regulations are published in the State Register, they will likely be subject to a 60-day public comment period.
While HIPAA compliance is nothing new for hospitals, it is the regulatory floor with respect to cybersecurity best practices. Therefore, New York hospitals should stay attuned to these proposed regulations which will likely require investment in more stringent administrative and technical security safeguards.