New York State Governor announces proposed cybersecurity regulations for hospitals

Kathy Hochul, Governor of New York State, has announced statewide proposed cybersecurity regulations for hospitals, to help “safeguard health care systems from growing cyber threats”. The announcement follows warnings from the US Department of the Treasury, the FBI, and the Cybersecurity and Infrastructure Security Agency, that hospitals are a target for cyberattacks.

The governor’s budget for 2024 includes $500 million in funding for health care facilities to help them comply with these new regulations, aimed at strengthening the protections on hospital networks and systems.

Hospitals will be required to establish a cybersecurity program and “take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen”.

The regulations also give hospitals the responsibility of drawing up a response plan for potential cybersecurity incidents, which includes a notification process for “appropriate parties”, and which should be tested to ensure that patient care can continue whilst the threat is managed.

Where one does not already exist, hospitals are to install a chief information security officer role, “in order to enforce the new policies and to annually review and update them as needed”.

The $500 million in funding will form a part of an upcoming statewide capital program call for applications, and is hoped to “spur investment in modernization of health care facilities as well as utilization of advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency”.

Colin Ahern, New York State chief cyber officer, said: “Under Governor Hochul’s leadership, the Department of Health is publishing draft cybersecurity regulations that will strengthen protections for hospital systems across the state. These draft regulations build upon the statewide cybersecurity strategy Governor Hochul released in August. As hospitals face growing cyber threats, it is imperative that we enable them to defend against attacks and these draft regulations and financial commitment do just that. We look forward to receiving public feedback over the next 60 days before finalizing the regulations to support improved cyber defenses and resilience for hospitals statewide.”