New York’s New
Hospital Cyber Security Requirements Demand Urgent Steps for CEOs & CISOs

The state of New York has taken a bold step toward bolstering the security of its hospitals with new cyber security legislation now in effect. The mandate not only enacts strict incident reporting requirements but also includes a myriad of required measures to help prevent cyber attacks.

Additionally, the new requirements will create a much-needed baseline for data protection, as there previously have not been any clear Federal or State cyber security requirements to safeguard patients' protected health information (PHI) and personally identifiable information (PII).

Hospital CEOs and CISOs need to get up to speed quickly and begin taking steps to achieve compliance.

The stakes have never been higher for the health sector

No other industry faces greater consequences of cyber attacks than healthcare. IBM reports that the average cost of breach is nearly 60% higher than in any other industry, but the human toll is innumerable. When ransomware strikes, operations get disrupted, patient care comes to a halt, and lives are on the line.  

It's precisely this high vulnerability that makes hospitals such high-value targets. Attackers know executives are under immense pressure to resolve the situation quickly. The cost of downtime alone tops $15.5M, to say nothing of the risk to public health and the potential liability costs resulting from delayed care. Furthermore, the reputational damage can be severe: in the wake of a breach, hospitals spend an average of 64% more on advertising to win back patient trust.

While the price of implementing these new requirements could vary widely, the cost of a breach is almost sure to be much higher. There's not only the issues of downtime and recovery, but also reputational damage and potential litigation to think about—not to mention any ransom payments.

But before you spend on services you may not need or have the staff to oversee, consider enlisting a trusted cyber security partner to navigate the complexity of these new cyber security mandates. Proven specialists, such as NCC Group, can support your healthcare organization by bolstering its security posture and providing comprehensive, tailored approaches explicitly designed for your needs and resources.

Here's a few examples of ways a security firm can help you achieve and maintain compliance without sacrificing patient care or straining your budget:

1. Integrated risk and security assessments:

Experienced consultants can conduct a dual-purpose risk assessment covering both HIPAA and New York requirements to provide a clear view of your risk landscape and compliance gaps without duplicating efforts.

2. Advanced threat detection and monitoring:

Managed Extended Detection and Response (MXDR) services enable you to detect and respond to threats in real-time. They are typically backed by 24/7 Security Operations Centers (SOC) for rapid incident handling.

3. Access control and data protection:

 Digital Identity experts work closely with your team to deploy access control measures like multi-factor authentication and data segmentation, ensuring only authorized personnel can access sensitive information.

4. Tailored incident response planning:

In the event of an incident, response speed is crucial. IR teams can help you develop and test incident response plans, including simulated exercises to ensure your staff is ready to respond swiftly and effectively.

5. Penetration testing and vulnerability scanning: 

Scheduled penetration testing and vulnerability scanning are tailored to your systems, allowing you to identify potential weaknesses while complying with the new state requirements for regular assessments.

6. Continuous compliance and training:

Regular security training customized for healthcare professionals will help your staff remain vigilant and meet regulatory standards. Training should focus on secure data handling and phishing prevention.