On November 13, 2023, Governor Kathy Hochul announced plans to regulate cybersecurity for New York general hospitals regulated under Article 28 of the Public Health Law. As proposed, the regulations will provide an additional level of security for hospitals, which have been increasingly targeted for cybersecurity scams and breaches. The proposed regulations would be additive to those requirements of the federal Health Insurance Portability and Accountability Act (HIPAA), which already includes a variety of requirements meant to safeguard Protected Health Information (PHI). Accompanying the proposed regulations, a $500 million dollar fund has been appropriated under Governor Hochul’s FY24 budget to assist hospitals in complying with the proposed cybersecurity regulations. The funds will be made available through a Health Care Technology Capital program, which will be established by the New York State Department of Health (DOH).
The proposed regulations were submitted to the DOH’s Public Health and Planning Council (PHHPC) on November 13, 2023, for review and approval. If the proposed regulations are approved by PHHPC’s Codes, Regulations, and Legislation Committee, they will be published in the New York State Register on December 6, 2023, and be available for public comment until February 5, 2024. If adopted, hospitals will have one year from the date of adoption to comply with the proposed regulations. However, the reporting requirements of the proposed regulations will take effect immediately upon adoption. As such, if hospitals experience a cybersecurity breach following the date of adoption, hospitals will need to report the breach to the DOH.
Risk Assessments and Cybersecurity Program Requirements
The proposed regulations will require hospitals to conduct an annual risk assessment of the hospital’s potential risks and vulnerabilities, including any evolving threats to nonpublic information held by the hospital, such as unauthorized access to electronic PHI. hospitals will be required to consider, among other things, the hospital’s business operations and utilization of information systems in performing its risk assessments. Risk assessments that hospitals already perform under HIPAA requirements may be acceptable under the proposed regulations provided that such risk assessments comply with all the requirements set forth in the proposed regulations. Any risk assessment conducted pursuant to the proposed regulations would need to be performed in accordance with the hospital’s written policies and procedures, which policies and procedures must include a number of considerations, including, but not limited to: (1) criteria for the evaluation and categorization of identified cybersecurity risks, vulnerabilities, and threats facing the hospital; (2) criteria for the assessment of the security and availability of the hospital’s information systems and protection of nonpublic information, including determining the likelihood of a breach and the potential impact of a breach; and (3) requirements describing how identified risks and threats will be mitigated or accepted and how the cybersecurity policies will address such risks.
Hospitals will be required to establish a cybersecurity program based on the hospital’s risk assessment. At a minimum, the cybersecurity program should include the following concepts:
- identifying internal and external cybersecurity risks that may impact the hospital’s storage of nonpublic information;
- the use of defensive infrastructure and the implementation of policies and procedures to protect the hospital’s information systems from unauthorized access;
- detection of cybersecurity events (i.e. any act to gain unauthorized access to a hospital’s information systems);
- responding to cybersecurity events;
- recovering from cybersecurity events and restoring normal operations; and
- fulfilling applicable statutory and regulatory reporting obligations.
A hospital’s cybersecurity program will also need to include policies and protocols to, among other things:
- Ensure in-house developed applications use secure development practices and that procedures are in place for assessing the security of externally developed applications. These practices and procedures must be reviewed, assessed, updated, and attested to annually by the hospital’s chief information security officer (CISO) or another qualified designee.
- Limit user access privileges to information systems that provide access to nonpublic information, which access privileges need to be reviewed periodically based on the hospital’s risk assessment and other applicable laws, including HIPAA.
- Account for the secure disposal of nonpublic information periodically, except where such information is required to be retained by law or regulation.
- Implement security measures and controls to protect nonpublic information held or transmitted by the hospital, including necessary controls identified in the hospital’s risk assessment.
In addition, cybersecurity programs will need to include monitoring and testing protocols, designed to test the effectiveness of the cybersecurity program and to identify any vulnerabilities. The monitoring and testing will need to include, at a minimum, annual penetration testing by a qualified internal or external party and automatic scans or manual or automated reviews of information systems to identify cybersecurity vulnerabilities.
The proposed regulations will require a hospital’s CISO and its information security and technology staff to develop and implement the foregoing cybersecurity policies and procedures to protect the hospital’s information systems and its storage of nonpublic information. A hospital’s CISO would be responsible for recommending the cybersecurity policy to the hospital’s governing body for approval. The governing body can delegate the supervision of a hospital’s cybersecurity measures to a committee of the governing body, however, such committee must present the proposed cybersecurity policy to the hospital’s full governing body for approval and implementation. At a minimum, the cybersecurity policies to be developed in accordance with the proposed regulations must be based on a hospital’s risk assessment and include, among other things: information security, data governance and classification, asset inventory and device management, systems and network security, patient data privacy, vendor and third-party service provider management, training and monitoring, and overall incident response procedures.
Chief Information Security Officer & CISO Report to Governing Body
The proposed regulations will require hospitals to designate a qualified senior or executive-level staff member to serve as the hospital’s CISO. A hospital’s CISO may be an employee of the hospital or an employee of a third-party or contract vendor; provided that if the CISO is an employee of a third-party or contract vendor, the governing body of the hospital must annually approve the CISO’s contract. A hospital’s CISO will be responsible for developing and enforcing the cybersecurity policies and overseeing and implementing the hospital’s cybersecurity program.
At least annually, the CISO will be required to report to the hospital’s governing body information about the hospital’s cybersecurity program, which shall include, at a minimum,
- the confidentiality of nonpublic information and the integrity and security of the hospital’s information systems;
- the hospital’s cybersecurity policies and procedures;
- material cybersecurity risks to the hospital;
- overall effectiveness of the hospital’s cybersecurity program; and
- any cybersecurity incidents that occurred during the period addressed by the report, and steps taken to thwart future cybersecurity incidents.
Audit Trails and Records Maintenance
If the proposed regulations are adopted, hospitals will be required to:
- retain records pertaining to a hospital’s information systems design, security, and maintenance for a minimum of six years and
- securely maintain systems to include audit trails designed to detect and respond to (i) cybersecurity events that may materially harm any material part of the hospital’s normal operations and (ii) cybersecurity incidents.
Additionally, if a hospital identifies areas, systems, or processes that require “material” improvement, updating, or designing, it is required to document the identification and remedial efforts that will occur to address such areas, systems, or processes. Notably, the proposed regulations do not define what constitutes a “material” improvement, update, or design. These documents must also be maintained by DOH for a minimum of six years.
Incident Response Plan and Department Reporting
As part of a hospital’s cybersecurity program, the proposed regulations will require a hospital to establish a written incident response plan, laying out how the hospital would respond to and recover from cybersecurity incidents. A hospital’s incident response plan should address, among other things:
- the goals of the incident response plan,
- a list of personnel and a definition of their roles and responsibilities with information on levels of decision-making authority;
- communications and information sharing about any incidents;
- remediation requirements for any identified weaknesses in the hospital’s information systems; and
- the internal processes for responding to a cybersecurity event.
In the event of a cybersecurity incident, the CISO or their designee must notify the DOH within 2 hours of the determination that a cybersecurity event has occurred and has had a material adverse impact on the hospital. DOH will prescribe a manner by which hospitals can report cybersecurity incidents. Importantly, the notifications made to DOH under the proposed regulations do not replace obligations that a hospital may have under other state or federal laws.
While most large hospitals may already comply with many of the requirements described in the proposed regulations, smaller hospitals could be faced with the need to make significant changes to their current cybersecurity policies and procedures, as many of the proposed requirements are broader than those set forth under HIPAA. While the cost of implementing proposed regulations may be a challenge for these smaller hospitals, in comparison the consequences of a cybersecurity incident could result in exponentially higher costs. As noted above, the proposed regulations will be accompanied by $500 million dollars in funding through a Health Care Technology Capital program, which will allow hospitals to apply for funding to assist with getting into compliance with the proposed regulations.
Given Governor Hochul’s expressed interest in making New York the leader in establishing cybersecurity requirements that help curtail cybersecurity attacks on the health care industry, it is possible that these proposed regulations may be extended to apply to other health care entities in New York.