The Biden administration is gradually rolling out new cybersecurity regulations for government agencies and their contractors, and some states have opted to take the same approach. One of them is New York, where existing requirements for energy companies will be joined by new rules for the healthcare sector.
The timeline begins with publication of the new cybersecurity regulations on December 6, and impacted organizations will then have a year to come into compliance. A public comment period remains open until early February, and the state is promising funding to assist primarily smaller and more rural healthcare facilities with getting their cybersecurity programs up to speed.
New York cybersecurity regulations look to protect vulnerable hospitals
There has been a general uptick in attacks on healthcare organizations in recent years, and New York has not been spared. Hackers have also proven there is no low they will not sink to, as a health network in neighboring Pennsylvania learned earlier this year when photos of breast cancer patients were leaked as a means of applying ransom pressure.
The Governor’s office appears to be responding to this trend, but this is also part of an ongoing program of cybersecurity regulations and improvements for critical infrastructure in the state that dates back to 2022. While the Biden administration has been active in its own requirements for companies that provide vital utilities and services, it is somewhat legally limited in what it is able to do without lengthy and contentious Congressional involvement. States like New York have made moves to pick up the slack within their own borders, noting the damage and general panic that attacks like the Colonial Pipeline incident caused and that several deaths at or involving hospitals now have some sort of tie to a ransomware attack.
Cyber criminals are interested in the healthcare industry due to the triple whammy of tending to have relatively poor IT funding and staffing (worse the farther you get from major cities), lots of valuable patient records, and an extreme sense of urgency about restoring systems that have been compromised. Hospitals also tend to interact with many different third-party vendors that may well have their own security issues.
New CISO positions coming for New York healthcare organizations
One of the highlight items in the new cybersecurity regulations is a mandate for state healthcare organizations to appoint a CISO to handle all of these new requirements, if they do not have one already. At least initially, the new rules will apply to all patient care facilities that also meet the requirements to be regulated by HIPAA; the new regulations will sit alongside HIPAA without changing anything that already exists.
The new CISOs will be put to work immediately as the cybersecurity regulations also set specific requirements for facility security programs, including how they anticipate risk and handle defensive measures. There are also new requirements for implementing and testing incident response plans, and for employees to use an MFA method when they log into the organization’s network from some external source.
Needless to say, compliance will be an expensive proposition for the state’s healthcare facilities. New York’s 2024 budget will thus have $500 million set aside for assistance in specifically getting up to code with the new cybersecurity regulations, with the maturity of existing programs and size by bed count as factors in determining what each healthcare facility will be eligible for. This could be as much as $10 million depending on the circumstances.