Unwilling to wait for the federal government to implement its cybersecurity regulations in healthcare, New York decided to take matters into its own hands by adopting groundbreaking new legislation.
On October 2nd the New York Department of Health announced new state cybersecurity requirements for hospitals, under Section 405.46 of Title 10.
“New York state finalizing this legislation is groundbreaking,” says Kate Pierce, Executive Director of Government Affairs for Fortified Health Security. “This is the first state ever to do this, and effective immediately, all general hospitals have 72 hours to report if they get hit with a cyber-attack…period. And then they only have a year to comply with all this other laundry list of cybersecurity requirements for hospitals.”
Let’s look at some of those cybersecurity regulations, the challenges hospitals may face adhering to the rules, and the best next steps toward adopting these enhanced cybersecurity standards.
Key Requirements Under Section 405.46
The new regulations identify the guidelines hospitals must follow to reduce their exposure to cyberattacks. Here are the key requirements hospitals will need to meet:
1. Cybersecurity Policies and Procedures
Hospitals are required to establish comprehensive cybersecurity policies covering all aspects of their operations, including:
- Encryption standards
- Data access controls, and
- Methods for monitoring potential threats.
These policies must be updated regularly to keep up with threats and ensure staff are following the best security practices.
2. Regular Risk Assessments
Hospitals will be required to perform periodic risk assessments under the new legislation. These assessments are intended to help hospitals identify vulnerabilities in their IT systems, networks, and data handling processes. Once vulnerabilities are identified, hospitals are expected to address them immediately to mitigate potential risks.
3. Designation of a Chief Information Security Officer (CISO)
All hospitals must have a qualified CISO in place who will be responsible for all hospital cybersecurity policy recommendations and delivering annual reports to the governing body.
4. Employee Training
Hospitals must invest in cybersecurity training programs for their employees to ensure staff can:
- Recognize phishing attempt
- Avoid security breaches, and
- Understand the importance of protecting sensitive information.
This training will need to involve all personnel – from medical staff to administrative employees.
5. Incident Response and Reporting
Hospitals must create an incident response plan to outline how they will handle a data breach or cyberattack. This includes steps for:
- Mitigating damage
- Notifying affected parties, and
- Conducting a post-incident analysis to prevent future issues.
6. Third-Party Vendor Security
Section 405.46 requires hospitals to ensure all third-party vendors meet strict cybersecurity standards. This will include thorough evaluations of vendors’ security practices and regular compliance monitoring to prevent any weak links inside the hospital’s network.
Challenges Hospitals May Face
While the goal is to enhance cybersecurity for New York’s hospital systems, adhering to the new rules within a year may present problems, specifically for smaller hospitals. Here are some potential obstacles:
1. Financial Impact
Putting these requirements for cybersecurity in place can be expensive. Hospitals may need to invest in new technology, hire cybersecurity specialists, and conduct consistent risk assessments—which can strain budgets, particularly for smaller hospitals who already are limited in resources.
2. Employee Training and Compliance
Training every employee to understand and implement all cybersecurity measures correctly is a huge undertaking, especially for large hospitals. Training and monitoring may require hiring additional resources.
3. Updating and Integrating Technology
Updating technology is also a huge, and costly lift, as many hospitals still rely on outdated IT infrastructures. Upgrading systems to meet new requirements will be a costly process that will take a lot of time and financial assistance.
4. Managing Third-Party Vendors
Hospitals who rely on multiple vendors may have to make sure they all adhere to the new standards. Managing these relationships adds another layer of complexity to hospital operations.
Preparing for Compliance: Next Steps in Cybersecurity for New York Hospitals
So where should hospitals begin? This is where Fortified Health Security can help.
We have a variety of services to help ensure your compliance with the new regulations and protect patients.
With careful planning and investment, New York hospitals can achieve compliance and strengthen their defenses, making them safer and more resilient in the face of cyber threats.
Not sure where to start? We have you covered.
- Check out our interactive tool that shows you exactly what you need to comply with every key requirement.
- Download our Guide to learn more about the requirements, action steps, and services.