The state of New York is proposing regulations that would tighten cybersecurity requirements for hospitals, Gov. Kathy Hochul’s office said Monday.
The proposed rule would require hospitals to establish a cybersecurity program and take steps to assess internal and external risks. The rule will publish in the state register on Dec. 6, with a 60-day comment period ending Feb. 5, 2024.
Hospitals would be required to implement measures to protect their information systems from unauthorized access and other malicious acts, take actions to prevent cybersecurity events before they happen and run regular tests of their response plan to ensure no disruptions to patient care. Organizations will also be required to establish a chief information security officer role if it doesn’t exist already and use multifactor authentication to access internal networks.
The proposed regulations are meant to complement the Health Insurance Portability and Accountability Act, the Democratic governor's office said.
Rules will also be established for when providers use applications developed by third-party vendors. Hospitals will be required to establish policies and procedures for evaluating, assessing and testing the security of externally developed applications.
Hochul’s 2024 budget includes $500 million in funding to help healthcare facilities upgrade their technology to comply with the proposed regulations. Once the requirements are finalized, hospitals will have a year to comply.
In October, a cyberattack affected computer systems at two New York-based hospitals, HealthAlliance Hospital in Kingston and Margaretville Hospital. Both facilities are part of the Westchester Medical Center Health Network. In August, Carthage (New York) Area Hospital and Claxton-Hepburn Medical Center in Ogdensburg, New York, were both victimized by a cyberattack.
Cybersecurity threats to healthcare organizations have grown exponentially in the last few years, according a July report from managed security company Trustwave. Nearly 25% of cyberattacks in 2022 targeted the healthcare industry, according to data cited in the report. Data security overall is a challenge to healthcare that's bordering on a crisis, the report cautioned.
Around 85 million patients have had their personal information compromised through the first nine months of the year, compared with 38 million in the same time period in 2022 and 43.9 million in 2021, according to the Health and Human Services Department's Office for Civil Rights.