This week, New York regulators announced that they plan to release proposed cybersecurity regulations for hospitals. The impetus for the proposed regulations is largely due to the increasing and devastating cyber attacks on the state's hospitals.
The proposed regulations will supplement the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which safeguards patient data. The regulations require hospitals to set up a cybersecurity program, use multi-factor authentication, assess cybersecurity risks, implement defense measures, and proactively prevent cyber threats. Hospitals will be required to prepare incident response plans for cybersecurity incidents and test these plans to ensure uninterrupted patient care. In addition, hospitals may be required to designate a Chief Information Security Officer, who will oversee and review the policies on an annual basis.
If the proposed regulations are adopted by the Public Health and Health Planning Council this week, they will be published in the State Register on December 6, 2023, and open for public comment until February 5, 2024. Hospitals will have one year to comply with the regulations once they are finalized.