“Our interconnected world demands an interconnected defense against cyberattacks, leveraging every resource available, especially at hospitals. These new proposed regulations set forth a nation-leading blueprint to ensure New York state stands ready and resilient in the face of cyber threats,” Hochul said in a statement.
According to a press release published by the Department of Health and Human Services Office for Civil Rights (OCR), ransomware and hacking are healthcare’s primary cyberthreats. Over the last four years, there has been a 239% increase in large breaches reported to OCR involving hacking, and a 278% increase in ransomware. This trend continues in 2023, where hacking accounts for 77% of the large breaches reported to OCR. Over 89 million individuals have been affected by large breaches in 2023.
Proposed Cybersecurity Regulations
As hospitals have become increasingly targeted by hackers, the need for improved cybersecurity is evident. The proposed regulations include requirements such as establishing:
- Cybersecurity programs to assess risks
- Defensive measures to protect information technology systems from unauthorized access
- Clear incident response plans and written guidance to help employees respond to an attack
The new regulations would also require hospitals to have a chief information security officer to review, update, and enforce cybersecurity policies. According to the governor’s office, the $500m budget will “spur investment in modernization of healthcare facilities as well as utilization of advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency,”
Request for Public Comment
When regulatory changes are proposed, the government often asks the public to comment to ensure all issues are addressed. The public comment period for the proposed cybersecurity regulations opened on December 6, 2023, and will close on February 5, 2024. Executives at large hospitals, such as Northwell Health, have already commented.
“For large health systems like Northwell and the other large ones in the city, it’s probably not going to be burdensome because 95% of what they’re asking us to do, we do anyway. Smaller hospitals don’t have the people resources and the money resources to get this done easily,” said Mark Jarrett, Senior Health Advisor at Northwell.
The Iroquois Healthcare Association also voiced its concern. “This is an important issue against which our members vigilantly work to stay prepared for increasingly sophisticated cyberattacks,” said Gary Fitzgerald, executive director of Iroquois Healthcare Association. “We are examining the regs to ensure that there is not any overlap or redundancy with standards at the federal level that could consume precious resources for our upstate hospital members. We are also urging the state to provide resources to ensure that whatever standard is adopted, that it can be complied with readily.”
The Connection Between Compliance and Cybersecurity
Compliance and cybersecurity intersect – you can’t have one without the other. Compliant organizations are inherently more secure as they must implement security measures to protect patient information.
Compliancy Group’s healthcare compliance software makes it easy to identify your areas of risk and take action to remedy issues. Our software comes with a robust toolset to help manage your risk, including security risk assessments, corrective action plans, policies and procedures, employee training, and incident management.