Governor Kathy Hochul has proposed cybersecurity regulations for hospitals, backed by a $500 million budget allocation in the FY24 budget. These regulations aim to fortify hospital networks against escalating cyber threats, complementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule focused on safeguarding patient data.
Under the proposed provisions, hospitals must establish comprehensive cybersecurity programs, assess internal and external risks, implement defensive techniques, and take preventative actions against cyber threats. The regulations also mandate the creation of response plans for potential incidents, including notification procedures, with tests to ensure continued patient care during system restoration.
“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” Governor Hochul said. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”
Under the proposed regulations hospitals are required to develop secure practices for in-house and externally developed applications. There is also a mandate for a Chief Information Security Officer. The regulations also advocate for multi-factor authentication to access internal networks from external sources.
The $500 million funding, part of the Governor’s FY24 budget, will support modernization efforts, including cybersecurity tools, electronic medical records, and technological upgrades. If adopted, the regulations will undergo a 60-day public comment period, concluding on Feb 5, 2024. Once finalized, hospitals will have a year to comply.