On October 2, 2024, New York introduced new laws requiring “general hospitals” across the state to enforce cybersecurity measures. Before this law, state hospitals were only bound by the Health Insurance Portability and Accountability Act (HIPAA) to protect patients’ protected health information (PHI) and personally identifying information (PII).
Over 190 general hospitals impacted
As defined by state law, general hospitals are healthcare institutions that offer medical or surgical services to in-patients under a doctor’s supervision around the clock, with emergency care and admission provisions. The new law impacts over 190 general hospitals in New York, excluding diagnostic centers, outpatient facilities, treatment centers, nursing homes, Veterans Affairs hospitals, and/or public health centers.
The legislation was driven by a surge of cyberattacks on New York hospitals in 2023, with the Department of Health responding to one major cyber incident each month. These attacks often caused operational disruptions, forced hospitals to transfer patients, and resulted in the stealing of sensitive patient information.
New reporting requirements for cybersecurity incidents
Beginning October 2, 2024, covered hospitals need to report any material cybersecurity occurrence to the New York State Department of Health within 72 hours after discovery. The 72-hour reporting period is noticeably longer compared to the 2-hour reporting period mentioned in the first proposed law. This extended timeframe acknowledges the practical challenges hospitals face when incidents occur over weekends or holidays.
A “material cybersecurity incident” refers to any cybersecurity incident likely to harm a hospital’s operations, such as ransomware attacks that compromise hospital IT systems. Rapid reporting will help the state respond quickly to events that could jeopardize patient care.
Compliance and cybersecurity requirements
Hospitals are required to comply with the full set of cybersecurity measures within one year of the law’s enactment. The new state requirements aim to enhance hospital cybersecurity beyond the current HIPAA Security Rule, which hasn’t been updated since 2013.
The legislation outlines specific steps hospitals must take to strengthen their defenses, including:
- Performing an annual security risk assessment of their information systems.
- Creating a comprehensive incident response plan.
- Designating a Chief Information Security Officer (CISO).
- Applying multifactor authentication on all external-facing systems.
- Performing regular cybersecurity testing, such as vulnerability scans and penetration tests.
- Maintaining detailed audit trails to enable prompt detection and response to incidents.
- Checking user access privileges yearly and removing unnecessary access.
- Providing ongoing cybersecurity training to employees, ensuring the training reflects new risks identified in risk assessments.
Although many hospitals may already have some of these procedures set up, the new requirements will entail costs. Estimates suggest that compliance could cost from $50,000 to $200,000 for smaller hospitals (with less than 10 beds), $200,000 to $500,000 for mid-sized hospitals (with 10-100 beds), and up to $2 million for larger facilities.
To support hospitals with compliance, New York released $650 million in Statewide IV and Statewide V funding earlier this year. Eligible hospitals have applied for grants since January, and those applications are presently under review.
Image credits: VideoFlow, AdobeStock
