If newly proposed regulations are finalized in New York, hospitals in the state will soon have to beef up their cybersecurity measures.
This week, New York Governor Kathy Hochul released a proposed set of cybersecurity regulations that require hospitals to establish new policies and procedures to protect themselves from ever-intensifying cyber threats. The governor’s budget for next year includes $500 million in funding to help hospitals upgrade their technology systems to comply with these new rules.
Some experts think the proposed rules will serve as a blueprint for other states to draft similar sets of regulations.
New York’s proposal seeks to augment the protections included within HIPAA. For instance, the proposed regulations would require each hospital in the state to have a cybersecurity program, demonstrate that it is monitoring internal and external cybersecurity risks, establish measures to prevent unauthorized access to its information systems, and maintain a defensive infrastructure.
The proposal would also ensure hospitals have procedures in place to evaluate and test the security of their tools and applications that are made by external vendors, as well as require each hospital in the state to have a chief information security officer.
Additionally, the proposed regulations would require hospitals to have detailed response plans ready in the event of a cybersecurity incident. Hospitals would also need to run tests of these plans to ensure that patient care continues while systems are down.
It’s not uncommon for cyberattacks to hurt patient care. In some instances, surgeries are postponed, clinics are shut down for hours or days, and ambulances are diverted to out-of-the-way emergency departments. For example, two hospitals in upstate New York were forced to divert patients to other providers as a result of a cyberattack last month.
“Our interconnected world demands an interconnected defense against cyberattacks, leveraging every resource available, especially at hospitals,” Governor Hochul said in a statement. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”
New York state officials will be collecting public comments on the proposal until February 5. If the proposed regulations go into effect, hospitals will have one year to comply.
The process of coming into compliance will be quite expensive and may be difficult for some hospitals to achieve within a 12-month period, according to Wendell Bartnick, partner at law firm Reed Smith. He pointed out that the regulations require hospitals to implement new technologies, hire more staff, and allocate more time and labor toward precautionary tests and scans.
Photo: traffic_analyzer, Getty Images