The NYSDOH Proposes New Cybersecurity Rules on State Hospitals

Overview

Healthcare organizations are under constant attack by external threats. Unfortunately, many of these organizations tend to have a cybersecurity program that isn’t well-developed enough to protect themselves. In November 2023, the New York State Department of Health (NYSDOH) proposed a regulation with the objective of enhancing cybersecurity protocols at state hospitals.

This regulation would require all hospitals operating within New York State to establish a written cybersecurity program, designate a chief information security officer (CISO), perform risk assessments, and implement multifactor authentication (MFA). The regulation also covers what data is considered nonpublic information (NPI) and what levels of encryption should be implemented to protect that data. As a result, CISOs of New York hospitals would have to submit reports of cybersecurity incidents to the NYSDOH within two hours. When this regulation is adopted, New York hospitals will have 1 year to comply.

Elements of the Cybersecurity Programs to Consider

While the regulation clearly defines all the necessary elements of the cybersecurity program, below we highlight a few of the elements needed:

• Cybersecurity policies and procedures that cover:
  • Information security, data governance, and classification.
  • Asset inventory and device management.
  • Access controls and identity management.
  • Business continuity, disaster recovery planning, and other resources.
  • Systems operations and availability concerns.
  • Systems and network security and monitoring.
  • Systems and application development and quality assurance.
  • Physical security and environmental controls.
  • Patient data privacy.
  • Vendor and third-party service provider management.
  • Risk assessments, training, and monitoring.
  • Overall incident response procedures.
• Risk assessments on an annual basis
• Vulnerability testing
• Proper MFA implementation
• Logging and monitoring controls
• Proper security training
• Reporting for cybersecurity incidents

How Can a vCISO Help?

In order to properly comply with the proposed rules and successfully integrate the controls mentioned above, hospitals will also require the designation of a CISO. This role should be senior or executive personnel qualified and trained appropriately, or a third-party or contract vendor. However, this regulation will have an impact on over 200 New York hospitals and facilities. The economic impact varies due to hospital sizes, but the range could be from $50,000 to $10 million for implementation of these requirements. Therefore, technology, people, and processes must be developed and make up the cost to the entity. That’s where a virtual Chief Information Security Officer (vCISO) can step in.

As an external security professional, a qualified vCISO can contribute by working part-time and remotely, offering strategic guidance to implement the policies and procedures based on the hospital’s risk assessments. Not only can this solution speed up the implementation of the various controls, but it can greatly reduce the cost and assist with the financial impact this regulation can have on hospitals operating in the New York State.

As we continue to monitor the NYSDOH’s proposed cybersecurity rules, reach out to a member of our vCISO team today and learn how we can assist.