New York moves toward cybersecurity regulations for hospitals, paving way for other states

Hospitals in New York state may soon have new requirements regarding cybersecurity.

New York Gov. Kathy Hochul has proposed new regulations for hospitals to have established policies to protect against cyberattacks. She's also making $500 million in state funds for hospitals to upgrade their defenses. (Photo credit: Susan Watts/Office of Governor Kathy Hochul)

New York Gov. Kathy Hochul introduced a proposal this week for cybersecurity regulations for the state’s hospitals. Health systems would be required to have written security procedures, response plans for attacks, and policies regarding notifications to individuals affected by breaches.

Hochul is also making $500 million in state funds available to strengthen their technology systems to comply with the planned state regulations.

"Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals," Hochul said in a statement. "These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

• Read more: Emerging cybersecurity threats in healthcare | Special report

The proposal still has some steps before being established. If the proposal is approved by the New York Public Health and Health Planning Council, the regulations will be published in the New York State Register on Dec. 6, allowing for a 60-day public comment period ending on Feb. 5.

Once finalized, hospitals will have a year to comply with the regulations.

Michael Hamilton, founder and chief information security officer for Critical Insight, a cybersecurity firm, said the New York proposal makes sense, particularly as there’s growing push back against some federal regulations. He expects other states to emulate New York’s proposal.

“The states, I believe, will follow New York's lead in creating nearly identical regulations,” Hamilton tells Chief Healthcare Executive®.

“I think this is a positive step,” Hamilton says. “And I think we're going to see more of that.” He said he does expect the prospect of $500 million in taxpayer money being used for cybersecurity is likely to inspire debate.

While Hamilton sees more states requiring hospitals and health systems to comply with certain standards for cybersecurity, Hamilton says he expects to eventually see a “national privacy statute.” He points to a California law giving residents the right to seek damages following breaches of private health information, saying it has spurred a host of class action lawsuits following cyberattacks.

The Hochul administration said the $500 million in funding is part of the governor's 2024 budget, and applications will open soon. The money will be available to help systems obtain better cybersecurity tools. She also said money would be available for upgrades of electronic medical records, and other measures to improve patient care.

The governor’s office said the regulations are meant to supplement the federal Health Insurance Portability and Accountability Act Security Rule (commonly called “HIPAA”) which is designed to protect health records.

Under the proposed New York regulations, hospitals will be required to develop cybersecurity programs and show that they are assessing risks of cyberattacks. They also will have to show that they are taking actions “to prevent cybersecurity events before they happen,” according to a news release from the Hochul administration.

New York State Health Commissioner James McDonald said the proposed regulations are an essential step to safeguarding health systems.

“When we protect hospitals, we protect patients,” McDonald said in a statement. “These nation-leading draft cybersecurity hospital regulations build on the Governor’s state of the state priority by helping protect critical systems from cyber threats and ensuring New York’s hospitals and health care facilities stay secure.”

More than 88 million individuals have been affected by large breaches of personal health information, the U.S. Department of Health & Human Services said earlier this month.

The number of people affected by health data breaches has risen by 60% in 2023, the health department says. The department said 77% of the large breaches this year have come from cyberattacks.

More hospitals and healthcare organizations have suffered ransomware attacks this year. In the first half of 2023, more than 220 hospitals were affected by cyberattacks, according to the American Hospital Association.

The health department requires organizations to disclose if they’ve suffered a breach of private health information affecting more than 500 people. So far this year, there have been 47 breaches of health records in New York, according to the department’s database.

Last month, a New York health system had to temporarily divert patients due to a cyberattack.

Cybersecurity analysts say hospitals and health systems are subject to attacks because they have highly valuable patient data. But experts acknowledge that attackers know hospitals will also pay a ransom to protect information or restore systems.

In this video, cybersecurity experts talked with Chief Healthcare Executive® about the difficult questions hospitals face in cyberattacks.

Read more: Paying the ransom: Hospitals face hard decisions in cyberattacks