On October 2, 2024, New York State implemented groundbreaking cybersecurity regulations specifically targeting the state’s general hospitals. These regulations are a significant step forward in safeguarding sensitive patient data and healthcare operations, marking a notable shift in how hospitals must handle cyber threats. The new legislation comes in response to the growing frequency and severity of cyberattacks in the healthcare sector, which has been grappling with an unprecedented surge in ransomware and other cybersecurity incidents in recent years.
Cybersecurity threats in the healthcare industry have escalated dramatically. In 2023, New York's Department of Health (NYSDOH) reported at least one cybersecurity incident at a hospital every month. These incidents included ransomware attacks, which frequently forced hospitals to divert emergency services, halt billing processes, and operate under downtime procedures, thereby putting patient care at risk. One particularly damaging breach compromised the personal and health information of more than 225,000 patients. These events were the catalyst for New York’s new legislation, which seeks to protect hospitals and the healthcare system from further damage caused by cyberattacks.
Governor Kathy Hochul had already identified cybersecurity as a priority in 2023 with the release of the New York State Cybersecurity Strategy. This plan aimed to shield critical infrastructure, digital assets, and personal data from malicious actors. By November 2023, the Governor announced the NYSDOH’s intent to adopt stringent cybersecurity regulations for general hospitals, and less than a year later, the law went into effect.
The law applies to general hospitals licensed under Article 28 of the Public Health Law. General hospitals are defined as healthcare institutions that provide medical and surgical services to inpatients under the supervision of a physician on a 24-hour basis, and they are equipped to treat emergencies. In New York, this includes more than 190 hospitals, but it notably excludes other healthcare facilities such as diagnostic centers, outpatient care centers, nursing homes, and Veterans Affairs hospitals.
The new cybersecurity regulations are both comprehensive and far-reaching. They are designed to ensure that hospitals implement strong, proactive measures to mitigate the risk of cyberattacks. Some of the most critical requirements include:
Hospitals must now report material cybersecurity incidents—those that have the potential to disrupt normal hospital operations or pose a risk to patient care—to the NYSDOH within 72 hours of discovery. This includes ransomware attacks and other incidents that could significantly affect hospital functions. Originally, the proposed legislation required a two-hour reporting window, but this was revised to a more realistic 72-hour period, particularly since many cyberattacks occur during weekends or holidays when staffing levels are lower.
Every hospital is now required to appoint a qualified Chief Information Security Officer (CISO), who is responsible for overseeing the hospital's cybersecurity program. The CISO must have the appropriate training, experience, and expertise, and they are tasked with recommending cybersecurity policies, conducting regular audits, and reporting annually to the hospital’s governing body.
Hospitals must conduct an annual security risk assessment of their information systems. This assessment must be thorough and accurate, identifying vulnerabilities and potential risks to patient data and the hospital’s critical systems. The assessment will be used to guide cybersecurity planning and resource allocation.
Hospitals are also required to develop and maintain a detailed incident response plan. This plan should outline the steps that need to be taken in the event of a cybersecurity incident, including the roles and responsibilities of staff, communication protocols, and recovery procedures. The goal is to minimize downtime and protect both patient safety and hospital operations.
Regular cybersecurity testing, including vulnerability scans and penetration testing, is mandated to ensure that hospitals can detect and address vulnerabilities before they are exploited. These tests must be conducted at least annually, and hospitals are required to review the results and update their security measures accordingly.
To prevent unauthorized access to sensitive data, hospitals must implement multifactor authentication (MFA) for all external-facing systems. This adds an extra layer of security by requiring users to provide multiple forms of identification before gaining access. Additionally, hospitals are required to conduct regular reviews of all user access privileges, ensuring that only necessary personnel have access to critical systems.
All hospital staff must undergo regular cybersecurity awareness training. This training must be updated frequently to reflect the latest risks identified in the hospital’s risk assessments. It is critical that staff are educated on the tactics cybercriminals use, such as phishing, and how to respond appropriately to potential threats.
Hospitals are required to maintain detailed audit trails to detect and respond to cybersecurity incidents promptly. Records related to security incidents, system maintenance, and design must be retained for at least six years, which aligns with the record retention requirements under HIPAA.
Implementing these robust cybersecurity measures will undoubtedly come with significant costs, particularly for smaller hospitals. The NYSDOH has estimated that compliance costs will range from $50,000 to $200,000 annually for small hospitals with fewer than 10 beds. Medium-sized hospitals with 10 to 100 beds are expected to spend between $200,000 and $500,000, while large hospitals may face costs as high as $2 million annually.
To offset these expenses, New York State has allocated $650 million in Statewide Health Care Facility Transformation Program (SHCFTP) funding to assist hospitals in complying with the new cybersecurity regulations. Hospitals have been able to apply for these grants since January 2024, and applications are currently under review.
While the new state regulations are significant, they do not replace the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Rather, they are intended to supplement the HIPAA regulations by raising cybersecurity standards beyond the baseline set by HIPAA. The HIPAA Security Rule, last updated in 2013, focuses on protecting patients' protected health information (PHI). However, it has been criticized for not keeping pace with evolving cyber threats. The U.S. Department of Health and Human Services (HHS) is currently working on updates to the HIPAA Security Rule, but those changes are not expected to be implemented for several years.
In the meantime, New York’s new regulations will ensure that the state's general hospitals improve their cybersecurity measures more rapidly than HIPAA alone would have required. Additionally, while HIPAA mandates that breaches affecting 500 or more individuals must be reported to the HHS within 60 days, New York’s 72-hour reporting requirement for material incidents reflects a more aggressive timeline aimed at minimizing potential harm.
New York's new cybersecurity regulations represent a major shift in how hospitals are expected to handle cyber threats, and they set a new standard for other states and sectors. With healthcare organizations across the country grappling with the escalating risk of cyberattacks, other states may soon follow New York’s lead in adopting similar legislation.
However, challenges remain. The broad definition of "material cybersecurity incidents" and the strict reporting timelines may create difficulties for hospitals, especially those with limited resources. Additionally, the law currently applies only to general hospitals, which leaves other healthcare providers, such as outpatient clinics and nursing homes, outside the scope of these stringent requirements.
As hospitals in New York adjust to the new regulations, they will need to invest in the necessary infrastructure, training, and personnel to meet the state’s heightened cybersecurity standards. The ultimate success of this legislation will depend on the hospitals’ ability to implement effective cybersecurity programs and respond swiftly to incidents, ensuring that patient care remains uninterrupted and sensitive data is protected from cybercriminals.
Navigating these new cybersecurity regulations can be daunting, but Compass IT Compliance is here to help. As a trusted partner with deep expertise in healthcare cybersecurity, we offer comprehensive services to ensure your hospital meets New York State’s rigorous requirements. From conducting thorough risk assessments and developing incident response plans to recommending multifactor authentication solutions and training your staff on cybersecurity best practices, we are equipped to guide you through every step of the compliance process. Our team of experienced cybersecurity auditors, including Virtual CISOs, can work with your hospital to implement these changes efficiently and cost-effectively, reducing the risk of cyber incidents and ensuring compliance with both state and federal regulations.
Contact us today to learn how Compass IT Compliance can help safeguard your hospital’s data and protect patient care from the growing threat of cyberattacks.