The State of New York has proposed new regulations to improve hospitals’ data privacy and security requirements. These regulations are open for public comment until Feb. 5 as part of a new section, 405.46, to New York Codes, Rules and Regulations, Title 10. They outline rules for the state’s medical facilities and the minimum standards they must comply with. These rules don’t replace federal HIPAA requirements but supplement them to help improve hospitals’ cybersecurity.
Why Is This Happening?
New York made headlines as the first state in the U.S. to impose strict cybersecurity regulations for the financial services sector. Although the new rules for hospitals may not be as strict, they follow recent updates to financial standards, which could be guiding the movement toward more cybersecurity regulations in healthcare.
This is unsurprising given that cybercriminals frequently target healthcare due to the sensitive and valuable information healthcare facilities possess. IBM’s 2023 Cost of a Breach Data Report reveals that healthcare has had the highest data breach costs for the past 13 years, with an average cost of $10.93 million, compared to the average cost of $4.45 million across all industries.
Alongside HIPAA, the new requirements aim to ensure that hospitals maintain a basic level of preparedness to deal with cybersecurity incidents, respond promptly, and recover quickly.
Proposed Regulation Highlights for New York Hospitals
- Broader scope of covered information than HIPAA
- Requirement of a CISO and qualified personnel/contractors
- Prescriptive security control requirements (for example, MFA)
- Annual risk assessments
- Audit trails and record-keeping requirements
- Requirements to report material adverse cyber incidents to the NYS Department of Health within two hours
Who Must Comply
If approved, the new regulations will require all of the state’s general hospitals licensed under Article 28 of New York Public Health Law to comply, including:
- 15 small hospitals (<10 acute care/ICU beds)
- 62 medium hospitals (10-100 acute care/ICU beds)
- 114 large hospitals (>100 acute care/ICU beds)
The standards deemed reasonable and appropriate for large organizations may differ from those for smaller hospitals, and certain regulations will also apply to third-party vendors and business associates.
Defining Cyber Incidents
The regulations define a cybersecurity incident as any cybersecurity event that:
- Has a material adverse impact on a hospital’s normal operations or
- Has a reasonable likelihood of materially harming any material part of the normal operation(s) of a covered entity or
- results in ransomware deployment within a material part of the hospital’s information systems.
Unlike HIPAA, this isn’t limited to electronic personal health information (ePHI) or other personal health information (PHI). A cyber incident extends to any business-related information and non-public information, for example, data that identifies an individual.
Cybersecurity Program Requirements
The new rules will outline protocols, procedures, and core functions of a hospital cybersecurity program, including:
- Develop a program based on the hospital’s risk assessment.
- Identify risks.
- Establish defensive infrastructure, policies, and procedures.
- Detect, respond to, and recover from incidents.
- Fulfill statutory and regulatory obligations.
- Limit user access privileges to information systems that provide access to nonpublic information.
- Develop procedures for secure development applications the hospital develops, as well as for evaluation, assessing, and testing third-party developed applications.
- Establish policies and procedures for secure, periodic disposal of any identified nonpublic information.
- Implement security measures and controls, including encryption, to protect nonpublic information held or transmitted by the hospital.
Cybersecurity Policies and Procedures
Policies and procedures should be based on a hospital’s risk assessment and at a minimum address:
- Data governance and classification
- Asset inventory and device management
- Access controls and identify management
- Business continuity and disaster recovery planning
- Systems operations and availability concerns
- Systems and network security and monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Patient data privacy
- Vendor and third-party service provider management
- Risk assessments
- Training and monitoring
- Overall incident response
Unlike HIPAA, the proposed mandates require a chief information security officer (CISO) who is responsible for the creation, implementation, and oversight of the hospital’s cybersecurity program. HIPAA only requires a security official but does not specify it must be a CISO.
The new rules say the designated CISO can be either an employee (individual from senior- or executive-level staff, qualified in training, experience, and expertise) or from a third party; however, if the CISO is a third-party, the governing body must approve the contract annually.
The CISO is responsible for developing and enforcing the hospital’s cybersecurity policy and overseeing and implementing it. Requirements also mandate the CISO create written reports, at least annually, for the hospital’s governing body. The report must detail the hospital’s cybersecurity program and material cybersecurity risks.
Testing and Vulnerability Assessment
With HIPAA, many healthcare organizations have struggled to understand what it means by a “technical evaluation.” These regulations provide more guidance:
- The cybersecurity program should include monitoring and testing
- Be developed in alignment with the hospital’s risk assessment
- Be designed to assess program effectiveness
- Should also assess changes in information systems that may create or indicate vulnerabilities
- A minimum of annual penetration testing conducted by a qualified internal or external party
- Automated scans or manual or automated reviews should be reasonably designed to identify publicly known vulnerabilities in the hospital’s information systems based on the risk assessment
Audit Trails and Record Maintenance and Retention
The new standards have certain requirements for documentation. For instance, the designs for security systems and audit trails must be based on the hospital’s risk assessment. The records related to system design, security, and maintenance that support routine operations must be kept for a minimum of six years. This part of the proposal may prove to be overwhelming, particularly for large hospital groups that manage extensive amounts of covered data. Keeping and managing documents for six years could be complex and may have a significant financial impact on hospitals.
HIPAA’s risk analysis and the proposed risk assessments are essentially the same; however, because of the volume and types of data covered by the state regulations, these are likely to be much broader in scope:
- Annual risk assessment of risks and vulnerabilities related to the confidentiality, integrity, and availability of nonpublic information
- Updated as reasonably appropriate but at least annually to address changes in information, systems, and business processes
- Allow for revision of controls to respond to technological advancements
- Risk assessments performed for other regulatory purposes are permitted as long as they meet the requirements
For risk assessment policies and procedures, the standards detail:
- Criteria for categorization of risks, vulnerabilities, and threats
- Criteria for the confidentiality, integrity, security, and availability of systems and information, including identification and adequacy of controls, likelihood and impact of threat occurrence, and risk level determination
- Requirements on how the hospital will mitigate or accept risks and threats based on its risk assessment, as well as how policies and programs will address risks
Hospitals often face challenges finding the right staff to support their cybersecurity programs. To address this issue, state guidance suggests that hospitals use their own qualified cybersecurity personnel or hire an affiliate or a third-party service. These personnel or services will be responsible for managing cybersecurity risks and ensuring the performance of core cybersecurity functions that comply with hospital regulations and align with risk assessment. The rules establish specific requirements for third parties.
Due Diligence and Contractual Provisions
Because the proposal expands beyond PHI and into non-public information, this may vastly expand a hospital’s third-party assessment scope, including vendors that may operate outside of NY but must comply and are not under a business associate agreement.
For many vendors, this could mean mandating more complex security requirements than they currently have. This will be challenging, especially for larger hospitals with expansive supply chains, and may create tension between hospitals and their vendors.
This will require hospitals to do a lot of preplanning and strategy setting to understand which vendors must be compliant and how to work together to ensure the implementation of these new mandates. This should:
- Ensure the provider’s policies and procedures access controls are consistent with industry standards
- Ensure vendors’ policies and procedures include encryption (or other methods) for information in transit or at rest
- Require vendors to notify the hospital in the event of any cybersecurity incident that could impact hospital systems or nonpublic information
- Include representations and warranties addressing third parties’ cybersecurity policies and procedures that relate to the hospital’s nonpublic information or information systems
Risk-based authentication requirements are similar to HIPAA:
- Requires multi-factor authentication (MFA), risk-based authentication, or other compensating controls to protect against unauthorized access to nonpublic information or information systems
- MFA is required for any individual that accesses the hospital’s internal networks from an external network unless the hospital’s CISO has approved the use of compensating controls in writing
Training and Monitoring
Employee training and system monitoring are required, including:
- Implementation of risk-based policies, procedures, and controls to monitor authorized users activity and detect unauthorized access or use of, or tampering with, nonpublic information
- Regular cybersecurity awareness training for all personnel
- Updated training to reflect risks identified by the hospital risk assessment, which may include annual phishing exercises and training/remediation for employees
Incident Response Plan
The proposed state regulations outline the necessary guidelines for response plans. These plans should provide instructions on how to quickly and efficiently address and recover from any cybersecurity incident that significantly impacts the confidentiality, integrity, or availability of the hospital’s information systems, as well as the continued functioning of any crucial aspect of the hospital’s business or operations.
The plan must include:
- Roles, responsibilities, contact information, and decision-making authority levels
- External and internal incidents information sharing
- Identification of requirements for remediating weaknesses in systems or controls
- Internal processes for event response
- Documentation and reporting of events and incident response activities
- Evaluation and revision of plan after an event
The proposed rules will have more extensive reporting and record-keeping requirements than what many organizations may be used to. Most healthcare entities and business associates generally report cyber events to the Office for Civil Rights within 60 days. However, the state will significantly reduce reporting time to just two hours. It also requires specified documentation, for example, event identification and planned remediation efforts, as well as which activities are underway.
Implementation costs will likely vary significantly based on different levels of cybersecurity programs and policies hospitals currently have in place. Here are some examples:
- Small Hospital
- Implementation: $250,000-$10 million
- Ongoing operations: $50,000-$200,000 a year
- Medium Hospital
- Implementation: $250,000-$10 million
- Ongoing: $200,000-$500,000 a year
- Large Hospital
- Implementation: $250,000-$10 million
- Ongoing: $2 million per year
The bright light here is the availability of potential grant funding through a new Health Care Technology Capital program. Some $500 million is available to support healthcare investments in technology and cybersecurity. Hospitals may apply for a grant to upgrade cybersecurity programs to meet new requirements.
The big question now is, when will these rules go into effect? As of now, it’s not clear. Once the comment period is complete and reviewed, the state will publish the approved regulations. When that happens, organizations will have a year to comply.
It’s important to note that the two-hour incident notice requirement will go into effect immediately when the regulations are adopted, which could happen within the next few months.
Given the immediate change in incident reporting and short compliance timeline, covered organizations should begin preparing now. Here are some recommendations to get started:
- Update incident response plans to account for the two-hour reporting and documentation requirement
- Conduct a gap analysis of your existing program relative to the new requirements
- Create an action plan to come into compliance within the applicable timeline
- Identify anticipated costs (internal resources, new technology, external consulting/compliance/legal)
- Apply for a grant/budget internally
- Execute action plan and track one-year enforcement deadline, including:
- Policy and procedure changes
- Operational changes
- Vendor changes (contractual/technical)