The clock is ticking for New York hospitals. What Gov. Kathy Hochul characterized as “nation-leading statewide cybersecurity regulations” were put in place for all New York general hospitals on Oct. 2, 2024. Hospitals licensed under Article 28 of the Public Health Law have until one year to comply with the new provisions—with one exception: General hospitals must immediately begin notifying the NY State Department of Health of any determined cybersecurity incident.
When considered alongside the HHS’s cybersecurity performance goals released earlier this year, it’s evident that the common vulnerabilities shared by healthcare organizations are of increasing concern to the federal and state governments. All healthcare provider organizations, regardless of size or location, should recognize that now is the time to increase how much consideration and oversight they give to their own cybersecurity and the implementation of best practices. We expect additional state-level legislation will occur or progress on this front to help organizations beyond New York prepare.
Here is our guide to what New York general hospitals should do immediately as well as over the next year—all steps that healthcare organizations elsewhere in the US should consider imitating:
Who is Affected Right Now: New York’s regulations (read them here) extend only to general hospitals, which are defined under NY PHL §2801(10) as those hospitals that engage “in providing medical or medical and surgical services primarily to inpatients by or under the supervision of a physician on a 24-hour basis with provisions for admission or treatment of persons in need of emergency care and with an organized medical staff and nursing service, including facilities providing services relating to particular diseases, injuries, conditions of deformities.”
What Must Happen Immediately: The reporting requirements for a general hospital during a “cybersecurity incident” are now in effect. They state that a breached hospital must notify the Department of Health “as promptly as possible, but no later than 72 hours after determining a cybersecurity incident” took place.
Relevant documentation including records, schedules, reports, and data must be submitted and should be maintained for at least six years. If a hospital pinpoints areas, systems, or processes that “require material improvement, updating or redesign” as a result of the incident, the hospital must document those efforts and make them available to the department. These notifications to the NY State Department of Health are in addition to other required HIPAA, state, or federal notifications. They are also more stringent than HIPAA’s breach reporting rule, which states that breaches affecting more than 500 people be reported within 60 days of discovery.
We recommend New York general hospitals first ensure both their cybersecurity incident response plan and other affected policies, procedures, and plans have been thoroughly reviewed and revised within the past year. In addition, all incident response plans should be formally tested, and those tests should be documented.
The Coming Requirements: From a high-level view, the regulations New York general hospitals will need to have in place touch on risk management/assessment, data protection, asset management, access control, training/development of the workforce, logging and monitoring, and incident response. More specifically, general hospitals will need to:
Establish within its policies and procedures a cybersecurity program based on the hospital’s risk assessment and designed to perform a specified list of core functions.
Designate a Chief Information Security Officer (CISO) who is either employed by the hospital or a third-party service provider and will report in writing at least annually to the hospital’s governing body on the hospital’s cybersecurity program and material cybersecurity risks.
Establish a written Incident Response Plan; the regulations specify which areas must be addressed in that plan ranging from the plan’s goals to a contact list.
Conduct regular cybersecurity testing, including vulnerability scanning and network penetration testing.
Provide regular cybersecurity awareness training for all personnel.
Follow specific policies for third-party cybersecurity providers.
Put in place identity and access management controls including multifactor authentication.
The Cost of Compliance—and Non-Compliance: Many larger hospitals may already comply with many of the new requirements; however, smaller hospitals with lower IT/cybersecurity budgets could be faced with the need to make significant changes to their current policies, procedures, and overall cybersecurity environments. The state acknowledged that effective cybersecurity programs “can cost millions to develop and implement initially, and anywhere from $50,000-$2 million or more to maintain on a yearly basis depending on the facility size.”
The NY State Dept of Health in January 2024 released Statewide Health Care Facility Transformation Program (SHCFTP) IV and V funds totaling $650 million to support facilities’ technological needs, including for these specific cybersecurity purposes.
The state notes that some facilities raised concerns about the implementation cost; it takes “an ounce of prevention is worth a pound of cure” attitude, stating, “The consequences of what can occur as a result of a cyber-attack far outweigh those costs. Days or weeks of downtime with an inability to bill for services can cost tens of millions of dollars (at a minimum), as well as the unknown cost of lost productivity, cancellation of elective surgeries, purchase of new computers, etc, can well exceed the yearly maintenance program costs.”
These new state regulations complement federal HIPAA regulations as opposed to competing against them. HIPAA is still the standard, so any violation of non-compliance could result in potential HIPAA sanctions/penalties and it could also result in penalties for non-compliance with the entire State Dept of Health Article 28 regulations (see Section 414.1 “System of penalties”).
How Avertium Can Help: Our Assess/Design/Protect approach enables us to thoroughly identify any gaps in compliance with NYSDOH regulations, ensuring a clear understanding of areas requiring attention. From there, we develop a detailed and actionable roadmap to remediate these gaps, tailored to the unique needs of your organization. Additionally, our vCISO service is available to provide expert guidance and hands-on support throughout the implementation process, ensuring alignment with regulatory requirements and enhancing your organization's overall security posture.
__________________________________________________________________________________________________________________________________________
Avertium is a cyber fusion and MXDR leader, delivering comprehensive security and compliance services to mid-market and enterprise customers. Our unique “Assess, Design, Protect” methodology addresses and improves security strategy, reduces attack surface risk, strengthens compliance, and provides continuous threat protection. Avertium maximizes customer security investments and enables customers to focus on growth, innovation, and business outcomes, while assuring that their security infrastructure is resilient and adaptive to evolving threats. That’s why customers trust Avertium to deliver better security, improved compliance, and greater ROI.