New York has recommended more restrictive cybersecurity rules for hospitals all over New York State because of a sequence of debilitating attacks that have prompted disruption to medical services, slowdowns to patient care, and placed patient safety in danger.
Governor Kathy Hochul declared the suggested measures, which are anticipated to be launched in the State Register on December 6, 2023, when they are implemented by the Public Health and Health Planning Council. The new cybersecurity rules will subsequently have a 60-day public feedback period, which will conclude on February 5, 2033. Once the new rules are completed, hospitals will be provided a one-year grace period to ensure complete compliance.
The suggested rules consist of the requirement for New York hospitals to designate a Chief Information Security Officer when there’s none yet, carry out defensive infrastructure and cybersecurity solutions such as multifactor authentication, and perform regular risk evaluations to discover cyber threats. Any in-house software should be created utilizing secure software design concepts, and procedures should be created and applied for screening the safety measures of third-party software. State hospitals will likewise be asked to create and test incident response plans to make sure that care is offered to patients in case of a cyberattack.
New York hospitals actually have cybersecurity duties governed by the Health Insurance Portability and Accountability Act (HIPAA), which places minimum requirements for cybersecurity. The suggested rules are supposed to complement the HIPAA Security Rule and consist of the same specifications, and the suggested rules in New York consist of certain measures that hospitals should apply. The new proposed regulations include a nation-leading plan to make sure New York State is ready and strong when confronted with cyber threats.
There is a big upsurge in healthcare cyberattacks recently. The HHS’ Office for Civil Rights just reported that 77% of all healthcare data breaches today are due to hacking incidents. There is a 239% rise in big data breaches in the last 4 years and a 278% upsurge in ransomware attacks. Although reported data breaches involving 500 and up records are a bit lower from 2022, over 102 million healthcare data were exposed or compromised – nearly two times the number of breached data as in 2022.
These attacks evidently demonstrate that hospitals and health systems are having difficulties stopping unauthorized access to their network and that more must be done to enhance cybersecurity than being compliant with the HIPAA Security Rule. The stakes for the nation’s hospitals are higher with regard to cybersecurity threats. “With threat actors frequently targeting hospitals and the possibly disastrous outcomes for continuing care, it is important that hospital leadership still spend money on cybersecurity risk mitigation steps. Governor Hochul’s new cybersecurity rules are an obvious indication to the healthcare sector that cybersecurity readiness is not a ‘nice-to-have,” according to Jamie Singer, the FTI Consulting’s Cybersecurity & Data Privacy Communications practice co-leader. “Having tested incident response processes and committed crisis communications plans set up are important for a hospital’s ability to take action efficiently and mitigate operational, financial, legal, and reputational injury in the middle of a live case.”
There are frequently contending priorities in medical care, and although more money is spent on cybersecurity, certain hospitals have had trouble finding the required financing to enhance cybersecurity. To help relieve the financial pressure, Governor Hochul’s FY24 budget for healthcare facilities is $500 million to allow them to improve their technology solutions to adhere to the suggested rules and pay for required cybersecurity solutions, electronic health records, innovative clinical technologies, and other technological improvements to enhance quality of care, patient accessibility, experience, and efficiency.
With regards to keeping New Yorkers safe from numerous sophisticated cyberattacks, protecting hospitals is an important part of New York’s aggressive approach, stated New York State Chief Information Officer Dru Rai. Through the Governor and agency partners’ ongoing commitment, the state’s hospitals will be obtaining the standard guidance and resources required to further improve their own cybersecurity, thus securing patients and the important systems that offer quality care throughout New York.
As the U.S. healthcare network gradually recovers from a workforce crisis and employee burnout, the possibility of cyberattacks is upsetting for all healthcare programs. Considering that 17% of healthcare cyberattacks bring about physical hurt or death, the present growth trajectory could result in tragedy. The industry is not purposefully at fault. Rather, a mix of missing education, low investment, and some recommendations for starting change, generate the perfect storm for exploitation by malicious actors. Looking at these factors, the cybersecurity guidelines recommended by New York regulators will place a much-needed system for incident response plans and initiate the application of security steps such as multifactor authentication. Such rules can take a good first step to keeping both healthcare organizations and patients safe from malicious actors.
New York’s action is a step on the right path when considering cybersecurity policy in medical care, and all states ought to follow suit, creating state budgets to help hospitals lacking resources. Bad actors target health systems and hospitals because of the opportunities for vulnerabilities. However, it’s not only data that is at stake, bad actors are pressing the limits of what they are targeting, and it is putting people in danger. Stepping in to impose appropriate security procedures to safeguard patients is important from a policy viewpoint.