Client Alerts  - Health Care and Life Sciences  - Data Privacy and Cybersecurity Dec 09, 2024

Understanding the NYS Department of Health’s New Hospital Cybersecurity Regulations

Data privacy lock icon surrounded by mini lock icons with health care-related icons.

Strategies for Hospital Compliance and Industry Trends

As technology advances, hospitals and other health care organizations are facing increasing cybersecurity vulnerabilities. Cybersecurity trends across all sectors, and specifically health care, can inform stakeholders’ plans to safeguard and improve their organization’s cybersecurity. Health care organizations must also stay abreast of new cybersecurity regulations. Below, we discuss recently passed new cybersecurity regulations for New York State hospitals and review emerging cybersecurity trends.

I. New York State Department of Health‘s New Cybersecurity Regulations

In August 2023, Governor Kathy Hochul launched New York’s Cybersecurity Strategy, which outlines the state’s plan to address cybersecurity threats across various sectors.1 Within this blueprint is a call for increased regulation of critical industries that are particularly vulnerable to cyberattacks to protect the communities they serve by establishing certain security level requirements.2 Following this, in November 2023, Governor Hochul proposed cybersecurity regulations for hospitals with the intention of complementing the Department of Health and Human Services’ Health Insurance Portability and Accountability Act (HIPAA) Security Rule, by requiring the implementation and maintenance of specific, minimum cybersecurity standards, including with respect to staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response, and reporting protocols and records retention.3

On October 2, 2024, the New York State Department of Health (NYSDOH) adopted cybersecurity regulations (the “Regulations”) which contain revisions to the regulations proposed in November 2023, and which require certain hospitals licensed under Article 28 of the Public Health Law to, among other requirements4:

Effective October 2, 2024

  • Notify the NYSDOH within 72 hours after determining that a material cybersecurity incident has occurred.

Effective October 2, 2025

  • Designate a Chief Information Security Officer (CISO), who is responsible for developing, overseeing and enforcing the cybersecurity program, and has certain reporting requirements.
  • Maintain and implement policies and procedures on cybersecurity for the protection of its information systems and nonpublic information to be approved by the hospital’s governing body, upon recommendation by the CISO.
  • Establish a written cybersecurity program with procedures, guidelines and standards, which shall be annually reviewed and attested by the CISO. At least annually, the CISO must report on the program and material cybersecurity risks to the hospital’s governing body, including the reporting requirements as prescribed in the Regulations.
  • Conduct a risk assessment to inform the development of the cybersecurity program.
  • Within the cybersecurity program, include monitoring and testing, developed in accordance with the hospital’s risk assessment, designed to assess the effectiveness of the hospital’s cybersecurity program and assess changes in information systems that may create or indicate vulnerabilities.
  • The systems that are securely maintained by hospitals must include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of a hospital and cybersecurity incidents (defined under the law).
  • Hospitals must utilize qualified cybersecurity personnel or a third-party service provider sufficient to manage the cybersecurity risks to carry out the cybersecurity program.
  • Establish and implement policies and procedures governing third-party service providers regarding their access to the hospital’s information systems and nonpublic information.
  • Hospitals shall use multi-factor authentication (MFA), risk-based authentication, or other compensating control to protect against unauthorized access to nonpublic information or information systems. At least annually, hospitals must review all user access privileges and remove or disable accounts and access that are no longer necessary.
  • Hospitals shall develop and implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users. Hospitals must also provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the hospital in its risk assessment, which may include annual phishing exercises and training/remediation for employees.
  • Hospitals are required to establish written incident response plans designed to promptly respond to, and recover from, any cybersecurity incident materially affecting the confidentiality, integrity or availability of information systems or the continuing functionality of any aspect of the business or operations.

While the costs of implementing the regulations will depend on the cybersecurity programs currently in place, it is estimated that it may cost between $250,000 and $10 million to initially develop and implement, and about $50,000 to $2 million (or more) to maintain annually, depending on the facility size.

A. The Regulations Apply to Article 28 “General Hospitals”

The Regulations apply to all “general hospitals” licensed pursuant to Article 28 of the Public Health Law.5  Under Public Health Law § 2801(10), a general hospital is defined as “a hospital engaged in providing medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a 24-hour basis with provisions for admission or treatment of persons in need of emergency care and with an organized medical staff and nursing service, including facilities providing services relating to particular diseases, injuries, conditions or deformities.”6

Therefore at this time, the Regulations do not extend to nursing homes or residential health care facilities, public health centers, diagnostic and treatment centers (including ambulatory surgery centers), outpatient lodges for cancer treatment, dispensary and laboratory or central service facilities serving more than one institution.

B. The Data Protected Under the Regulations Expands Beyond Protected Health Information to Nonpublic Information

The Regulations include requirements for the protection of “nonpublic information,” which is a broadly defined term that includes protected health information (PHI) as well as all nonpublic electronic information that is:

  • A hospital’s business-related information, the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of such hospital.
  • Personally identifiable information (PII) including any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.7

This expansive definition of protected “nonpublic information” is broader than HIPAA, which covers PHI.

C. Required Reporting of Cybersecurity Incidents Within 72 Hours

Effective immediately, hospitals are required to notify NYSDOH within 72 hours of determining that a material cybersecurity incident occurred.8 The Regulations define a cybersecurity incident as a “cybersecurity event9 that:

  • Has a material adverse impact on the normal operations of the hospital.
  • Has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital.
  • Results in the deployment of ransomware within a material part of the hospital’s information systems.”10

Further, hospitals are required to submit certain documentation for examination by the NYSDOH, including records, schedules, reports and other data, and that such documentation be maintained for six years.11  The hospital must also make available to the NYSDOH any documentation on areas, systems or processes identified that require material improvement, updating or redesign, which also must be maintained for six years.12

D. Cybersecurity Risk Assessment, Program and Policy

Although the requirement on reporting cybersecurity incidents is currently in effect, hospitals will have until October 2, 2025, to come into compliance with much of the Regulations, including, but not limited to, the requirements for regular risk assessments, establishing and implementing a robust cybersecurity program, and developing policies and procedures which must be approved by the hospital’s governing body. Additionally, if not already in place, hospitals must designate a qualified senior or executive-level staff member with proper training, experience and expertise to serve as CISO.13

1. Risk Assessments

Hospitals are required to perform thorough and regular risk assessments to evaluate potential vulnerabilities in their information systems.14  This includes, along with other components:

  • Identifying risks related to network infrastructure, business operations, medical devices and third-party vendors.
  • Documenting and implementing strategies to mitigate evolving threats and risks.
  • Updating such risk assessments periodically and after significant changes in the information systems, but no less than annually.

It is the intention that the risk assessments inform the establishment and implementation of the cybersecurity program and be conducted in accordance with the hospital’s policies and procedures.15

2. Cybersecurity Program

Hospitals must establish a cybersecurity program within their policies and procedures designed to protect the confidentiality, integrity and security of nonpublic information stored on the hospital’s information systems.16 The program must include, among other requirements:

  • Internal and external risk identification and mitigation measures to address known and emerging threats.
  • Incident response capabilities to detect, manage and recover from cyberattacks and allow for continuity of the hospital’s business and operations.
  • Policies and procedures to guide staff in maintaining secure operations and protecting hospital and patient data, which shall be reviewed annually and attested to by the CISO.17

3. Policies & Procedures

Compliance with the Regulations will include the development, the ongoing review and maintenance of cybersecurity policies to safeguard against potential threats across a variety of activities. The Regulations include requirements for policies such as:

  • A security policy for third-party service providers.18
  • A policy to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users.19
  • A policy with instructions for carrying out a thorough risk assessment.20
  • An identity and access management policy to protect against unauthorized access to nonpublic information or information systems and identify the privileges of user accounts.21
  • A policy to memorialize the cybersecurity program based on the hospital’s risk assessments.22

The Regulations mark New York’s renewed focus on health care entities in response to threat actors’ sustained attacks on this sector, in an attempt to minimize data loss and delay of care.

These changes align with broader cybersecurity trends in health care, as further discussed below, including the adoption of zero trust frameworks by health care organizations, the use of artificial intelligence (AI) for cybersecurity threat detection, and the growing emphasis on regulatory compliance in the health care information technology sector.

II. Cybersecurity Trends

Cybersecurity attacks on health care facilities can result in devastating consequences, including compromising data privacy, disrupting care and risking patient safety. Additional problems include the cost of the disruptions, regulatory implications, reputational damage and potential lawsuits. In order to prepare for and combat cybersecurity threats, health care organizations can benefit from understanding cybersecurity risks and mitigation, and developing cybersecurity trends.

A. IBM’s Cost of a Data Breach Report

IBM’s 2024 annual Cost of a Data Breach Report23 (the “Report”) evaluated 604 organizations across 17 industries affected by data breaches between March 2023 and February 2024 and identified several key trends.

The Report indicated that in the past year, the global average cost of a data breach increased by 10% to $4.88 million, fueled by an increase in the costs of business disruption and post-breach responses, including higher regulatory fines. Notably, for the 14th year in a row, the health care industry held the top spot for the highest average cost of a data breach among the 17 industries, despite the cost falling by 10.6% in the past year to $9.77 million.

Malicious or criminal attacks represented 55% of data breaches, while IT failure and human error accounted for the remaining 23% and 22%, respectively.

The top five factors that increased costs were security systems complexity, security skills shortage, third-party breach, noncompliance with regulations and migration to the cloud.

Notably, the amount of regulatory fines organizations paid also increased, with a 22.7% rise in the share of organizations that paid over $50,000.

Stolen or compromised credentials represented the most frequent initial attack vector, occurring in 16% of breaches and carrying an average cost of $4.81 million, followed by phishing at 15% at a cost of $4.88 million. Malicious insider attacks cost the most at $4.99 million, but represented 7% of all data breaches.

Data stored across multiple types of environments accounted for the most breaches (40%), followed by data stored on public cloud (25%), on premise (20%) and private cloud (15%). About one-third of breaches involved data stored in unmanaged data sources, known as shadow data. Breaches involving shadow data held a 16% higher average cost and lasted 24.7% longer.

The average time to identify and contain a breach shrunk from 277 days in the previous year to 258 days in 2024, signifying a seven-year low. However, health care organization breaches took the longest to identify and contain at nearly 300 days.24

After containment of a breach, recovery time was also significant. Eighty-eight percent of the organizations studied in the Report were still in the process of recovering. Of the 12% that had fully recovered, over three-quarters reported that recovery took longer than 100 days, while only 3% fully recovered in less than 50 days.

The top five factors that decreased the average cost of a data breach included employee training, AI and machine learning driven insights, security information and event management (SIEM), incident response (IR) planning, and encryption.

AI was the largest cost saver for organizations, saving an average of $2.2 million in breach costs when used extensively for prevention compared with no AI use for prevention. Use of AI also led to faster identification and containment, decreasing the time by 100 days for organizations with extensive use of AI.

B. HHS Hospital Cyber Resiliency Initiative Landscape Analysis

On April 17, 2023, the U.S. Department of Health and Human Services (HHS) 405(d) Program released the Hospital Cyber Resiliency Initiative Landscape Analysis,25 a report evaluating the threats facing hospitals and their cybersecurity capabilities. Although the report did not focus on sensitive data breaches, its scope included aspects related to patient care and clinical operations.

The report identified several cybersecurity threats to hospitals, including cloud exploitations, which increased by 95% from 2021, ransomware and ransomware-as-a-service (RaaS), phishing/spear-phishing attacks that overcome MFA by social engineering, software and zero-day vulnerabilities, and distributed denial of service attacks (DDos). The report also identified the following key observations:

  • Hospital adoption of important security aspects was variable. For example, MFA was not utilized regularly across all systems and entry points, which created potential vulnerabilities.
  • 89% of hospitals surveyed performed regular vulnerability scanning, but utilization of advanced testing, such as tabletop exercises, accounted for 20% or lower of vulnerability assessments.
  • Although 99% of hospitals used basic spam and phishing protection, these basic protections are not always effective against the newest generation of social engineering and phishing attacks.
  • 50% or less of hospitals evaluated risk to patient safety from third-party suppliers.
  • 96% of hospitals used antiquated hardware, systems or software with known vulnerabilities.
  • Insurance premiums for cybersecurity rose by 46% in 2021, with 55% of hospitals in 2022 experiencing increases of more than 100%.
  • A significant shortage exists of cybersecurity professionals with the needed skills and experience.
  • Adoption of Health Industry Cybersecurity Practices (HICP) as a framework leads to improved cyber resiliency.

III. Conclusion

As cyber incidents become more costly, frequent and sophisticated, it is clear why regulators are motivated to implement regulations and establish clear mandates for safeguarding sensitive data in hospitals’ possessions. The Regulations for New York hospitals set a new standard for cybersecurity in health care, reflecting the urgency of protecting sensitive patient data and maintaining operational safeguards. It is important that hospitals review their compliance programs and seek assistance from experienced professionals in light of the NYSDOH’s Regulations.

Additional Assistance

For further information on NYSDOH cyber regulations and how they affect your organization, please contact a member of the Phillips Lytle Data Privacy and Cybersecurity Team or the Phillips Lytle attorney with whom you have a relationship.

1 New York State Cybersecurity Strategy August 2023, https://www.governor.ny.gov/sites/default/files/2023-08/2023-NewYork-CybersecurityStrategy.pdf.

2 Id.

3 Press Release, Governor Hochul Announces Proposed Cybersecurity Regulations for Hospitals Throughout New York State (Nov. 13, 2023), https://www.governor.ny.gov/news/governor-hochul-announces-proposed-cybersecurity-regulations-hospitals-throughout-new-york.

4  10 NYCRR § 405.46 (2024).

5 10 NYCRR § 405.46(a) (2024).

6 N.Y. Pub. Health Law § 2801(10) (Westlaw through L.2024, ch. 1 to 456).

7 10 NYCRR § 405.46(b)(8) (2024).

8 10 NYCRR § 405.46(n) (2024).

9 A “‘[c]ybersecurity event’ means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse the hospital’s information system or information stored on such information system, including but not limited to health records.” 10 NYCRR § 405.46(b)(4) (2024).

10 10 NYCRR § 405.46(b)(5) (2024).

11 10 NYCRR § 405.46(n)(2) (2024).

12 10 NYCRR § 405.46(n)(3) (2024).

13 10 NYCRR § 405.46(e) (2024).

14 10 NYCRR § 405.46(b)(12) (2024).

15 10 NYCRR § 405.46(c) (2024).

16 Id.

17 Id.

18 10 NYCRR § 405.46(j) (2024).

19 10 NYCRR § 405.46(l) (2024).

20 10 NYCRR § 405.46(h) (2024).

21 10 NYCRR § 405.46(k) (2024).

22 10 NYCRR § 405.46(c) (2024).

23 IBM, Cost of a Data Breach Report 2024, https://www.ibm.com/reports/data-breach?utm_content=SRCWW&p1=Search&p4=43700067972513691&p5=p&p9=58700007546740765&gclid=EAIaIQobChMIqtqZ3MrZiQMVmkf_AR1BTyT6EAAYASABEgKTZfD_BwE&gclsrc=aw.ds (last visited Nov. 20, 2024).

25 IBM, Webinar, Cost of a data breach 2024: Top insights, AI impact, and risk reduction best practices (Aug 13, 2024), https://ibm.webcasts.com/starthere.jsp?ei=1677694&tp_key=fc2064da0f.

25 Dep’t of Health & Human Servs., Healthcare & Public Health Sector Coordinating Council, Ctrs. for Medicare & Medicaid Servs., HHS 405(d), Hospital Cyber Resiliency Initiative Landscape Analysis (Apr. 17, 2023), https://405d.hhs.gov/Documents/405d-hospital-resiliency-analysis.pdf.

 

Related Insights

View All