On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”).1 The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour reporting of certain incidents.
If approved by the New York State Public Health and Health Planning Council (“PHHPC”) and subsequently finalized, the Proposed Regulations would supplement federal Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule requirements but would be broader in some respects, including with regard to what information is subject to the requirements.
Proposed Hospital Cybersecurity Requirements. Notable requirements of the Proposed Regulations include the following:
- Requirements Applicable to Non-Public Information: The Proposed Regulations would impose cybersecurity requirements with respect to “Nonpublic Information,” which includes a hospital’s confidential business-related information and information that can be used to identify a natural person. This is broader than HIPAA’s applicability to “protected health information” that can be used to identify a patient.
- Cybersecurity Program: The Proposed Regulations would require hospitals to establish a cybersecurity program that features specified capabilities, including identification and assessment of cybersecurity risks, defensive infrastructure, and response to identified or detected cybersecurity events to mitigate any negative effects.
- CISO: Hospitals would be required to appoint a qualified senior or executive-level staff member with proper training, experience, and expertise to serve as Chief Information Security Officer (“CISO”) responsible for the cybersecurity program. Among other responsibilities, the CISO would be required to develop and recommend a cybersecurity policy that meets requirements specified in the regulatory text for adoption by the hospital’s governing body and to provide an annual written report to the governing body on the hospital’s cybersecurity program and material cybersecurity risks. Hospitals may need to review the roles and responsibilities of their security executives to ensure that such executives are empowered to undertake these new CISO responsibilities.
- Cybersecurity Personnel: Hospitals would be required to use qualified cybersecurity personnel or a third-party service provider to manage the cybersecurity program. If using a third-party service provider, the hospital would be required to implement written policies and procedures designed to ensure the security of information systems and Nonpublic Information accessed by such third parties. The Proposed Regulations also specify requirements for third-party service provider contracts. Hospitals that engage third-party service providers to assist with their cybersecurity programs may need to review the terms of such engagements to ensure compliance with these new requirements.
- Information System User Authentication: Hospitals would need to use multi-factor authentication, risk-based authentication, or other compensating controls for user authentication to protect against unauthorized access to Nonpublic Information or information systems. Multi-factor authentication would need to be required for accessing the hospital’s internal network from an external network, unless the CISO approves otherwise in writing.
- Testing, Vulnerability Assessments, and Risk Assessments: Hospitals would be required to undertake an annual risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Nonpublic Information and information systems. Hospitals also would need to develop monitoring and testing, in accordance with the risk assessment, that is designed to assess the effectiveness of the hospital’s cybersecurity program and assess changes in information systems that may create or indicate vulnerabilities. Such monitoring and testing must include penetration testing of the hospital’s information systems by a qualified internal or external party at least annually and automated scans or manual or automated reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the hospital’s information systems based on the risk assessment. These requirements are more prescriptive than HIPAA’s requirement for “periodic” risk analyses, and hospitals may need to revise their HIPAA risk analysis plans to ensure compliance with these new requirements.
- Audit Trails and Records Maintenance: Hospitals would be required to maintain records pertaining to systems design, security, and maintenance and to audit trails that can detect and combat significant cybersecurity threats for at least six years. This mirrors HIPAA record retention obligations, which require records pertaining to HIPAA policies to be kept for six years after their creation or policy implementation.
- Incident Response Plans: Hospitals would be required to adopt a written incident response plan designed to promptly respond to and recover from material security incidents in accordance with requirements specified in the Proposed Regulations.
- Two-Hour Incident Reporting: Immediately upon finalization of the Proposed Regulations, hospital CISOs would be required to report to the New York State Department of Health (“NYSDOH”) within two hours of a determination that a cybersecurity incident has occurred and has had a material adverse impact on the hospital. Hospitals must retain documentation related to such incidents for at least six years and provide it to NYSDOH upon request.
Estimated Compliance Costs and Cybersecurity Funding. The state estimates significant compliance costs, ranging from tens of thousands to tens of millions of dollars per hospital. Nevertheless, the state believes the Proposed Regulations are necessary given the high-risk cybersecurity environment in which hospitals operate. In 2023, NYSDOH responded to more than one cybersecurity incident per month, several of which forced hospitals to turn away patients, stopped their billing procedures, and hampered care delivery. These incidents have impacted many New Yorkers, with over 225,000 patients potentially being affected in one breach alone. In addition, the state has included $500 million in available funds in its fiscal year 2024 budget for which hospitals can apply to help upgrade their cybersecurity programs to satisfy the new requirements.
Next Steps. The PHHPC discussed the Proposed Regulations at its meeting on November 16, 2023, and expressed concern about harmonizing federal and state approaches to cybersecurity regulation and the significant compliance costs for hospitals. Indeed, the Proposed Regulations represent a novel state approach to cybersecurity regulation of hospitals by introducing requirements intended to supplement HIPAA requirements. PHHPC intends to revisit the Proposed Regulations at its next meeting on January 25, 2024.
The new requirements would take effect one year after their finalization, except for new security incident reporting requirements, which would take effect immediately. To comply, hospitals would need to update their cybersecurity policies and procedures, hire cybersecurity professionals, change their incident response procedures, and revise their planned security risk assessments.
These Proposed Regulations arrive on the heels of the expansion of cybersecurity governance, safeguards, and incident reporting requirements applicable to entities regulated under New York’s insurance law (including health insurance companies), banking law, or financial services law.2 As a whole, these regulatory developments highlight the increased expectations and scrutiny around cybersecurity programs for the healthcare sector.