Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.
In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).
Eleven months later, the New York State Department of Health (NYDOH) has published the final cybersecurity regulation, codified at 10 NYCRR 405.46. Although the NYDOH regulation is another example of state-specific cybersecurity requirements, there is some evidence of regulatory harmonization across industry sectors.
Many of the definitions and requirements in the new NYDOH regulation are closely aligned with the New York Department of Financial Services (NYDFS) cybersecurity regulation 23 NYCRR Part 500 that has been in effect for several years. For instance, the NYDOH definition of a cybersecurity incident mirrors the NYDFS definition of a cybersecurity incident.
The one NYDOH requirement that went into effect immediately is the Cybersecurity Incident Reporting requirement. Once again mirroring the NYDFS requirement for covered financial entities, covered hospitals must now notify NYDOH of a cybersecurity incident within 72 hours.
The rest of the NYDOH requirements go into effect on October 2, 2025, including a requirement for all hospitals licensed in New York to:
- Implement a cybersecurity program that is tailored to each hospital’s individualized risk assessment and addresses several core topics, including: defensive infrastructure, cybersecurity event detection, response, and recovery, and fulfillment of statutory and regulatory reporting obligations;
- Designate a Chief Information Security Officer (CISO) who is employed by the hospital, or a third-party service provider, and provides annual briefings to the hospital’s governing body;
- Perform penetration testing and vulnerability scans of hospital systems annually;
- Implement identity and access management controls such as multifactor authentication;
- Implement regular training and awareness and monitoring programs; and
- Develop an Incident Response Plan for cybersecurity incidents.
HHS Recently Unveiled Proposed Updates to HIPAA Security Rule
The HIPPA Journal reported that, as of October 18, 2024, HHS completed a proposed update to the HIPAA Security Rule which was shared with the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) for review.
More recently, HHS’s Health Sector Cybersecurity Coordinator Center has issued several reports of ongoing and emerging cyberthreats to the healthcare sector, including Living-off-the-Land Attacks, F5 cloud vulnerabilities, and Oracle’s “Miracle Exploit.” This relentless barrage of new reports highlights a sense of national urgency that the Security Rule update will aim to address, while reinforcing concerns that any update may be out of touch with the sector’s strained financial and administrative capabilities.
With a second Trump administration to begin in 70 days, the prognosis of any HHS proposed updates is uncertain at best and any future initiatives applicable to covered healthcare entities might be subsumed into a broader national cybersecurity strategy.
Takeaway
In the absence of federal legislative or agency action keeping pace with technology, history will likely continue to repeat itself. As we have seen in the areas of artificial intelligence, data breach notifications, and data privacy protections, state governments are enacting laws and regulations in the face of federal inaction. Cybersecurity regulations for hospitals may follow suit.