Hochul Proposes Statewide Cybersecurity Laws for N.Y. Hospitals

New York Gov. Kathy Hochul has proposed statewide cybersecurity laws for hospitals. Her fiscal 2024 finances contains $500 million in funding that healthcare amenities could apply to improve their know-how programs to comport with the proposed laws.

Hochul’s workplace mentioned the proposed laws goal to strengthen the protections on hospital networks and programs which are essential to offering affected person care, as a complement to the Well being Insurance coverage Portability and Accountability Act (HIPAA) Safety Rule that focuses on defending affected person knowledge and well being information. 

Underneath the proposed provisions, hospitals can be required to determine a cybersecurity program and take confirmed steps to evaluate inner and exterior cybersecurity dangers, use defensive methods and infrastructure, implement measures to guard their info programs from unauthorized entry or different malicious acts, and take actions to forestall cybersecurity occasions earlier than they occur.

In a press release, State Well being Commissioner James McDonald M.D., M.P.H, mentioned, “Underneath Governor Hochul’s management, New York State has considerably enhanced its cyber defenses, that are critically vital to our well being care system. After we shield hospitals, we shield sufferers. These nation-leading draft cybersecurity hospital laws construct on the Governor’s state of the state precedence by serving to shield essential programs from cyber threats and guaranteeing New York’s hospitals and well being care amenities keep safe.”

Moreover, the proposed laws would require that hospitals develop response plans for a possible cybersecurity incident, together with notification to applicable events. Hospitals will even be required to run assessments of their response plan to make sure that affected person care continues whereas programs are restored again to regular operations.

The proposed laws mandate that every hospital’s cybersecurity program contains written procedures, tips, and requirements to develop safe practices for in-house purposes supposed to be used by the power. Hospitals will even be required to determine insurance policies and procedures for evaluating, assessing, and testing the safety of externally developed purposes utilized by the hospital.

The proposed laws additionally require hospitals to determine a Chief Data Safety Officer position, if one doesn’t exist already, to be able to implement the brand new insurance policies and to yearly evaluation and replace them as wanted. Moreover, the proposed laws require the usage of multi-factor authentication to entry the hospital’s inner networks from an exterior community.

The $500 million in funding was included within the Governor’s FY24 finances and shall be a part of an upcoming statewide capital program name for purposes, opening quickly. These funds will spur funding in modernization of healthcare amenities in addition to utilization of superior medical applied sciences, cybersecurity instruments, digital medical information, and different technological upgrades to enhance high quality of care, affected person expertise, accessibility, and effectivity.

If adopted by the Public Well being and Well being Planning Council this week, the laws shall be revealed within the State Register on Dec. 6, and bear a 60-day public remark interval ending on Feb. 5, 2024. As soon as finalized, hospitals could have a 12 months to return into compliance with the brand new laws.