New York state proposes new cybersecurity program and incident reporting requirements for hospitals
2023 PRINDBRF 0624
By Christine Moundas, Esq., Gideon Zvi Palte, Esq., and Bessie Frías, Ropes & Gray
Practitioner Insights Commentaries
December 13, 2023
(December 13, 2023) - Christine Moundas, Gideon Zvi Palte and Bessie Frías of Ropes & Gray discuss New York state's proposed hospital cybersecurity regulations, which would impose requirements such as the appointment of a chief information security officer and reporting of material cybersecurity incidents within two hours.
On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the "Proposed Regulations").1 The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour reporting of certain incidents.
If approved by the New York State Public Health and Health Planning Council ("PHHPC") and subsequently finalized, the Proposed Regulations would supplement federal Health Insurance Portability and Accountability Act ("HIPAA") Security Rule requirements but would be broader in some respects, including with regard to what information is subject to the requirements.
Proposed Hospital Cybersecurity Requirements. Notable requirements of the Proposed Regulations include the following:
Requirements Applicable to Non-Public Information: The Proposed Regulations would impose cybersecurity requirements with respect to "Nonpublic Information," which includes a hospital's confidential business-related information and information that can be used to identify a natural person. This is broader than HIPAA's applicability to "protected health information" that can be used to identify a patient.
Cybersecurity Program: The Proposed Regulations would require hospitals to establish a cybersecurity program that features specified capabilities, including identification and assessment of cybersecurity risks, defensive infrastructure, and response to identified or detected cybersecurity events to mitigate any negative effects.
CISO: Hospitals would be required to appoint a qualified senior or executive-level staff member with proper training, experience, and expertise to serve as Chief Information Security Officer ("CISO") responsible for the cybersecurity program. Among other responsibilities, the CISO would be required to develop and recommend a cybersecurity policy that meets requirements specified in the regulatory text for adoption by the hospital's governing body and to provide an annual written report to the governing body on the hospital's cybersecurity program and material cybersecurity risks. Hospitals may need to review the roles and responsibilities of their security executives to ensure that such executives are empowered to undertake these new CISO responsibilities.
Cybersecurity Personnel: Hospitals would be required to use qualified cybersecurity personnel or a third-party service provider to manage the cybersecurity program. If using a third-party service provider, the hospital would be required to implement written policies and procedures designed to ensure the security of information systems and Nonpublic Information accessed by such third parties. The Proposed Regulations also specify requirements for third-party service provider contracts. Hospitals that engage third-party service providers to assist with their cybersecurity programs may need to review the terms of such engagements to ensure compliance with these new requirements.
Information System User Authentication: Hospitals would need to use multi-factor authentication, risk-based authentication, or other compensating controls for user authentication to protect against unauthorized access to Nonpublic Information or information systems. Multi-factor authentication would need to be required for accessing the hospital's internal network from an external network, unless the CISO approves otherwise in writing.
Testing, Vulnerability Assessments, and Risk Assessments: Hospitals would be required to undertake an annual risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Nonpublic Information and information systems. Hospitals also would need to develop monitoring and testing, in accordance with the risk assessment, that is designed to assess the effectiveness of the hospital's cybersecurity program and assess changes in information systems that may create or indicate vulnerabilities. Such monitoring and testing must include penetration testing of the hospital's information systems by a qualified internal or external party at least annually and automated scans or manual or automated reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the hospital's information systems based on the risk assessment. These requirements are more prescriptive than HIPAA's requirement for "periodic" risk analyses, and hospitals may need to revise their HIPAA risk analysis plans to ensure compliance with these new requirements.
Audit Trails and Records Maintenance: Hospitals would be required to maintain records pertaining to systems design, security, and maintenance and to audit trails that can detect and combat significant cybersecurity threats for at least six years. This mirrors HIPAA record retention obligations, which require records pertaining to HIPAA policies to be kept for six years after their creation or policy implementation.
Incident Response Plans: Hospitals would be required to adopt a written incident response plan designed to promptly respond to and recover from material security incidents in accordance with requirements specified in the Proposed Regulations.
Two-Hour Incident Reporting: Immediately upon finalization of the Proposed Regulations, hospital CISOs would be required to report to the New York State Department of Health ("NYSDOH") within two hours of a determination that a cybersecurity incident has occurred and has had a material adverse impact on the hospital. Hospitals must retain documentation related to such incidents for at least six years and provide it to NYSDOH upon request.
Estimated Compliance Costs and Cybersecurity Funding. The state estimates significant compliance costs, ranging from tens of thousands to tens of millions of dollars per hospital. Nevertheless, the state believes the Proposed Regulations are necessary given the high-risk cybersecurity environment in which hospitals operate.
In 2023, NYSDOH responded to more than one cybersecurity incident per month, several of which forced hospitals to turn away patients, stopped their billing procedures, and hampered care delivery. These incidents have impacted many New Yorkers, with over 225,000 patients potentially being affected in one breach alone.
In addition, the state has included $500 million in available funds in its fiscal year 2024 budget for which hospitals can apply to help upgrade their cybersecurity programs to satisfy the new requirements.
Next Steps. The PHHPC discussed the Proposed Regulations at its meeting on November 16, 2023, and expressed concern about harmonizing federal and state approaches to cybersecurity regulation and the significant compliance costs for hospitals. Indeed, the Proposed Regulations represent a novel state approach to cybersecurity regulation of hospitals by introducing requirements intended to supplement HIPAA requirements. PHHPC intends to revisit the Proposed Regulations at its next meeting on January 25, 2024.
The new requirements would take effect one year after their finalization, except for new security incident reporting requirements, which would take effect immediately. To comply, hospitals would need to update their cybersecurity policies and procedures, hire cybersecurity professionals, change their incident response procedures, and revise their planned security risk assessments.
These Proposed Regulations arrive on the heels of the expansion of cybersecurity governance, safeguards, and incident reporting requirements applicable to entities regulated under New York's insurance law (including health insurance companies), banking law, or financial services law.2
As a whole, these regulatory developments highlight the increased expectations and scrutiny around cybersecurity programs for the healthcare sector.
Notes
1 Governor Hochul Announces Proposed Cybersecurity Regulations for Hospitals Throughout New York State, N.Y. State Gov't (Nov. 13, 2023), https://on.ny.gov/46Ca4EH.
2 See Christine Moundas & Briana Fasone, NYSDFS Expands Requirements for Cybersecurity Governance, Safeguards and Incident Reporting for New York State Health Insurance Companies, Ropes & Gray LLP (Nov. 20, 2023), https://bit.ly/47DiblB.
By Christine Moundas, Esq., Gideon Zvi Palte, Esq., and Bessie Frías, Ropes & Gray
Christine Moundas is a partner in Ropes & Gray's health care group and co-head of the firm's digital health initiative. Moundas provides strategic, regulatory, compliance and transactional advice to health care technology companies, health systems, pharmaceutical companies and investors. She counsels clients on cutting-edge issues in the digital health space, including artificial intelligence, interoperability and big data initiatives. She can be reached at [email protected]. Gideon Zvi Palte is an associate in the firm's health care group. He advises health care providers, technology companies, insurance companies, health care organizations and investors on transactional and regulatory issues. He can be reached at [email protected]. Bessie Frías is a law clerk in the firm's health care practice. She provides regulatory, compliance, transactional and governance advice to health care clients and investors. She can be reached at [email protected]. The authors, who are based in New York City, would like to thank law clerk Peyton Brooks and associate William Shefelman for their contributions to this article, which was originally published Nov. 28, 2023, on the firm's website. Republished with permission.
Image 1 within New York state proposes new cybersecurity program and incident reporting requirements for hospitalsChristine Moundas
Image 2 within New York state proposes new cybersecurity program and incident reporting requirements for hospitalsGideon Zvi Palte
Image 3 within New York state proposes new cybersecurity program and incident reporting requirements for hospitalsBessie Frías
End of Document© 2024 Thomson Reuters. No claim to original U.S. Government Works.