This week, New York regulators announced that they plan to release proposed cybersecurity regulations for hospitals. The impetus for the proposed regulations is largely due to the increasing and devastating cyber attacks on the state's hospitals.
The proposed regulations will supplement the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which safeguards patient data. The regulations require hospitals to set up a cybersecurity program, use multi-factor authentication, assess cybersecurity risks, implement defense measures, and proactively prevent cyber threats. Hospitals will be required to prepare incident response plans for cybersecurity incidents and test these plans to ensure uninterrupted patient care. In addition, hospitals may be required to designate a Chief Information Security Officer, who will oversee and review the policies on an annual basis.
If the proposed regulations are adopted by the Public Health and Health Planning Council this week, they will be published in the State Register on December 6, 2023, and open for public comment until February 5, 2024. Hospitals will have one year to comply with the regulations once they are finalized.
"Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals," Governor Hochul said. "These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.