As technology advances, hospitals and other health care organizations are facing increasing cybersecurity vulnerabilities. Cybersecurity trends across all sectors, and specifically health care, can inform stakeholders’ plans to safeguard and improve their organization’s cybersecurity. Health care organizations must also stay abreast of new cybersecurity regulations. Below, we discuss recently passed new cybersecurity regulations for New York State hospitals and review emerging cybersecurity trends.
In August 2023, Governor Kathy Hochul launched New York’s Cybersecurity Strategy, which outlines the state’s plan to address cybersecurity threats across various sectors.1 Within this blueprint is a call for increased regulation of critical industries that are particularly vulnerable to cyberattacks to protect the communities they serve by establishing certain security level requirements.2 Following this, in November 2023, Governor Hochul proposed cybersecurity regulations for hospitals with the intention of complementing the Department of Health and Human Services’ Health Insurance Portability and Accountability Act (HIPAA) Security Rule, by requiring the implementation and maintenance of specific, minimum cybersecurity standards, including with respect to staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response, and reporting protocols and records retention.3
On October 2, 2024, the New York State Department of Health (NYSDOH) adopted cybersecurity regulations (the “Regulations”) which contain revisions to the regulations proposed in November 2023, and which require certain hospitals licensed under Article 28 of the Public Health Law to, among other requirements4:
Effective October 2, 2024
Effective October 2, 2025
While the costs of implementing the regulations will depend on the cybersecurity programs currently in place, it is estimated that it may cost between $250,000 and $10 million to initially develop and implement, and about $50,000 to $2 million (or more) to maintain annually, depending on the facility size.
The Regulations apply to all “general hospitals” licensed pursuant to Article 28 of the Public Health Law.5 Under Public Health Law § 2801(10), a general hospital is defined as “a hospital engaged in providing medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a 24-hour basis with provisions for admission or treatment of persons in need of emergency care and with an organized medical staff and nursing service, including facilities providing services relating to particular diseases, injuries, conditions or deformities.”6
Therefore at this time, the Regulations do not extend to nursing homes or residential health care facilities, public health centers, diagnostic and treatment centers (including ambulatory surgery centers), outpatient lodges for cancer treatment, dispensary and laboratory or central service facilities serving more than one institution.
The Regulations include requirements for the protection of “nonpublic information,” which is a broadly defined term that includes protected health information (PHI) as well as all nonpublic electronic information that is:
This expansive definition of protected “nonpublic information” is broader than HIPAA, which covers PHI.
Effective immediately, hospitals are required to notify NYSDOH within 72 hours of determining that a material cybersecurity incident occurred.8 The Regulations define a cybersecurity incident as a “cybersecurity event9 that:
Further, hospitals are required to submit certain documentation for examination by the NYSDOH, including records, schedules, reports and other data, and that such documentation be maintained for six years.11 The hospital must also make available to the NYSDOH any documentation on areas, systems or processes identified that require material improvement, updating or redesign, which also must be maintained for six years.12
Although the requirement on reporting cybersecurity incidents is currently in effect, hospitals will have until October 2, 2025, to come into compliance with much of the Regulations, including, but not limited to, the requirements for regular risk assessments, establishing and implementing a robust cybersecurity program, and developing policies and procedures which must be approved by the hospital’s governing body. Additionally, if not already in place, hospitals must designate a qualified senior or executive-level staff member with proper training, experience and expertise to serve as CISO.13
1. Risk Assessments
Hospitals are required to perform thorough and regular risk assessments to evaluate potential vulnerabilities in their information systems.14 This includes, along with other components:
It is the intention that the risk assessments inform the establishment and implementation of the cybersecurity program and be conducted in accordance with the hospital’s policies and procedures.15
2. Cybersecurity Program
Hospitals must establish a cybersecurity program within their policies and procedures designed to protect the confidentiality, integrity and security of nonpublic information stored on the hospital’s information systems.16 The program must include, among other requirements:
3. Policies & Procedures
Compliance with the Regulations will include the development, the ongoing review and maintenance of cybersecurity policies to safeguard against potential threats across a variety of activities. The Regulations include requirements for policies such as:
The Regulations mark New York’s renewed focus on health care entities in response to threat actors’ sustained attacks on this sector, in an attempt to minimize data loss and delay of care.
These changes align with broader cybersecurity trends in health care, as further discussed below, including the adoption of zero trust frameworks by health care organizations, the use of artificial intelligence (AI) for cybersecurity threat detection, and the growing emphasis on regulatory compliance in the health care information technology sector.
Cybersecurity attacks on health care facilities can result in devastating consequences, including compromising data privacy, disrupting care and risking patient safety. Additional problems include the cost of the disruptions, regulatory implications, reputational damage and potential lawsuits. In order to prepare for and combat cybersecurity threats, health care organizations can benefit from understanding cybersecurity risks and mitigation, and developing cybersecurity trends.
IBM’s 2024 annual Cost of a Data Breach Report23 (the “Report”) evaluated 604 organizations across 17 industries affected by data breaches between March 2023 and February 2024 and identified several key trends.
The Report indicated that in the past year, the global average cost of a data breach increased by 10% to $4.88 million, fueled by an increase in the costs of business disruption and post-breach responses, including higher regulatory fines. Notably, for the 14th year in a row, the health care industry held the top spot for the highest average cost of a data breach among the 17 industries, despite the cost falling by 10.6% in the past year to $9.77 million.
Malicious or criminal attacks represented 55% of data breaches, while IT failure and human error accounted for the remaining 23% and 22%, respectively.
The top five factors that increased costs were security systems complexity, security skills shortage, third-party breach, noncompliance with regulations and migration to the cloud.
Notably, the amount of regulatory fines organizations paid also increased, with a 22.7% rise in the share of organizations that paid over $50,000.
Stolen or compromised credentials represented the most frequent initial attack vector, occurring in 16% of breaches and carrying an average cost of $4.81 million, followed by phishing at 15% at a cost of $4.88 million. Malicious insider attacks cost the most at $4.99 million, but represented 7% of all data breaches.
Data stored across multiple types of environments accounted for the most breaches (40%), followed by data stored on public cloud (25%), on premise (20%) and private cloud (15%). About one-third of breaches involved data stored in unmanaged data sources, known as shadow data. Breaches involving shadow data held a 16% higher average cost and lasted 24.7% longer.
The average time to identify and contain a breach shrunk from 277 days in the previous year to 258 days in 2024, signifying a seven-year low. However, health care organization breaches took the longest to identify and contain at nearly 300 days.24
After containment of a breach, recovery time was also significant. Eighty-eight percent of the organizations studied in the Report were still in the process of recovering. Of the 12% that had fully recovered, over three-quarters reported that recovery took longer than 100 days, while only 3% fully recovered in less than 50 days.
The top five factors that decreased the average cost of a data breach included employee training, AI and machine learning driven insights, security information and event management (SIEM), incident response (IR) planning, and encryption.
AI was the largest cost saver for organizations, saving an average of $2.2 million in breach costs when used extensively for prevention compared with no AI use for prevention. Use of AI also led to faster identification and containment, decreasing the time by 100 days for organizations with extensive use of AI.
On April 17, 2023, the U.S. Department of Health and Human Services (HHS) 405(d) Program released the Hospital Cyber Resiliency Initiative Landscape Analysis,25 a report evaluating the threats facing hospitals and their cybersecurity capabilities. Although the report did not focus on sensitive data breaches, its scope included aspects related to patient care and clinical operations.
The report identified several cybersecurity threats to hospitals, including cloud exploitations, which increased by 95% from 2021, ransomware and ransomware-as-a-service (RaaS), phishing/spear-phishing attacks that overcome MFA by social engineering, software and zero-day vulnerabilities, and distributed denial of service attacks (DDos). The report also identified the following key observations:
As cyber incidents become more costly, frequent and sophisticated, it is clear why regulators are motivated to implement regulations and establish clear mandates for safeguarding sensitive data in hospitals’ possessions. The Regulations for New York hospitals set a new standard for cybersecurity in health care, reflecting the urgency of protecting sensitive patient data and maintaining operational safeguards. It is important that hospitals review their compliance programs and seek assistance from experienced professionals in light of the NYSDOH’s Regulations.
Additional Assistance
For further information on NYSDOH cyber regulations and how they affect your organization, please contact a member of the Phillips Lytle Data Privacy and Cybersecurity Team or the Phillips Lytle attorney with whom you have a relationship.
1 New York State Cybersecurity Strategy August 2023, https://www.governor.ny.gov/sites/default/files/2023-08/2023-NewYork-CybersecurityStrategy.pdf.
2 Id.
3 Press Release, Governor Hochul Announces Proposed Cybersecurity Regulations for Hospitals Throughout New York State (Nov. 13, 2023), https://www.governor.ny.gov/news/governor-hochul-announces-proposed-cybersecurity-regulations-hospitals-throughout-new-york.
4 10 NYCRR § 405.46 (2024).
5 10 NYCRR § 405.46(a) (2024).
6 N.Y. Pub. Health Law § 2801(10) (Westlaw through L.2024, ch. 1 to 456).
7 10 NYCRR § 405.46(b)(8) (2024).
8 10 NYCRR § 405.46(n) (2024).
9 A “‘[c]ybersecurity event’ means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse the hospital’s information system or information stored on such information system, including but not limited to health records.” 10 NYCRR § 405.46(b)(4) (2024).
10 10 NYCRR § 405.46(b)(5) (2024).
11 10 NYCRR § 405.46(n)(2) (2024).
12 10 NYCRR § 405.46(n)(3) (2024).
13 10 NYCRR § 405.46(e) (2024).
14 10 NYCRR § 405.46(b)(12) (2024).
15 10 NYCRR § 405.46(c) (2024).
16 Id.
17 Id.
18 10 NYCRR § 405.46(j) (2024).
19 10 NYCRR § 405.46(l) (2024).
20 10 NYCRR § 405.46(h) (2024).
21 10 NYCRR § 405.46(k) (2024).
22 10 NYCRR § 405.46(c) (2024).
23 IBM, Cost of a Data Breach Report 2024, https://www.ibm.com/reports/data-breach?utm_content=SRCWW&p1=Search&p4=43700067972513691&p5=p&p9=58700007546740765&gclid=EAIaIQobChMIqtqZ3MrZiQMVmkf_AR1BTyT6EAAYASABEgKTZfD_BwE&gclsrc=aw.ds (last visited Nov. 20, 2024).
25 IBM, Webinar, Cost of a data breach 2024: Top insights, AI impact, and risk reduction best practices (Aug 13, 2024), https://ibm.webcasts.com/starthere.jsp?ei=1677694&tp_key=fc2064da0f.
25 Dep’t of Health & Human Servs., Healthcare & Public Health Sector Coordinating Council, Ctrs. for Medicare & Medicaid Servs., HHS 405(d), Hospital Cyber Resiliency Initiative Landscape Analysis (Apr. 17, 2023), https://405d.hhs.gov/Documents/405d-hospital-resiliency-analysis.pdf.
Receive firm communications, legal news and industry alerts delivered to your inbox.
Subscribe Now