Hospital cyber security requirements added to the New York Codes, Rules, and Regulations (NYCRR)
The state of New York has taken a bold step toward bolstering the security of its hospitals with new cyber security legislation now in effect. The mandate not only enacts strict incident reporting requirements but also includes a myriad of required measures to help prevent cyber attacks.
Additionally, the new requirements will create a much-needed baseline for data protection, as there previously have not been any clear Federal or State cyber security requirements to safeguard patients' protected health information (PHI) and personally identifiable information (PII).
Hospital CEOs and CISOs need to get up to speed quickly and begin taking steps to achieve compliance.
The stakes have never been higher for the health sector
No other industry faces greater consequences of cyber attacks than healthcare. IBM reports that the average cost of breach is nearly 60% higher than in any other industry, but the human toll is innumerable. When ransomware strikes, operations get disrupted, patient care comes to a halt, and lives are on the line.
It's precisely this high vulnerability that makes hospitals such high-value targets. Attackers know executives are under immense pressure to resolve the situation quickly. The cost of downtime alone tops $15.5M, to say nothing of the risk to public health and the potential liability costs resulting from delayed care. Furthermore, the reputational damage can be severe: in the wake of a breach, hospitals spend an average of 64% more on advertising to win back patient trust.
Understanding the NY Hospital Cybersecurity Requirements
The new regulations aim to help hospitals enhance their defenses by taking immediate, comprehensive action to protect patient data and maintain operational integrity. Labeled as section 405.46 under Title 10 of the NYCRR, Governor Kathy Hochul and the NY Commissioner of Health champion these provisions as necessary efforts to ensure that New Yorkers' data stays safe no matter where they go.
To start, all general hospitals must immediately implement incident reporting. Effective since October 2, 2024, they are now required to alert the NY Department of Health to any material incident within 72 hours of discovery.
They then have until October 2, 2025, to implement the following preventative measures:
- Designate a Chief Information Security Officer (CISO), either by direct hire or through a third-party service.
- Establish a comprehensive cyber security risk program that includes conducting annual security risk assessments.
- Implement continuous threat monitoring across all networks and systems to detect and respond to threats in real time.
- Conduct penetration testing and vulnerability scans regularly to identify and address potential vulnerabilities in the network and systems.
- Implement Multi-Factor Authentication (MFA) for all external-facing systems.
- Train staff on cyber security prevention to ensure all employees are well-informed about potential threats, what to watch for and how to respond effectively.
Fortunately, the requirements are also backed in some cases by $650 million in Statewide Health Care Facility Transformation Program (SHCFTP) IV and SHCFTP V funds to help hospitals cover the cost of compliance.
How to meet the challenge of NY hospital cyber rules
While the price of implementing these new requirements could vary widely, the cost of a breach is almost sure to be much higher. There's not only the issues of downtime and recovery, but also reputational damage and potential litigation to think about—not to mention any ransom payments.
But before you spend on services you may not need or have the staff to oversee, consider enlisting a trusted cyber security partner to navigate the complexity of these new cyber security mandates. Proven specialists, such as NCC Group, can support your healthcare organization by bolstering its security posture and providing comprehensive, tailored approaches explicitly designed for your needs and resources.
Here's a few examples of ways a security firm can help you achieve and maintain compliance without sacrificing patient care or straining your budget:
1. Integrated risk and security assessments:
Experienced consultants can conduct a dual-purpose risk assessment covering both HIPAA and New York requirements to provide a clear view of your risk landscape and compliance gaps without duplicating efforts.
2. Advanced threat detection and monitoring:
Managed Extended Detection and Response (MXDR) services enable you to detect and respond to threats in real-time. They are typically backed by 24/7 Security Operations Centers (SOC) for rapid incident handling.
3. Access control and data protection:
Digital Identity experts work closely with your team to deploy access control measures like multi-factor authentication and data segmentation, ensuring only authorized personnel can access sensitive information.
4. Tailored incident response planning:
In the event of an incident, response speed is crucial. IR teams can help you develop and test incident response plans, including simulated exercises to ensure your staff is ready to respond swiftly and effectively.
5. Penetration testing and vulnerability scanning:
Scheduled penetration testing and vulnerability scanning are tailored to your systems, allowing you to identify potential weaknesses while complying with the new state requirements for regular assessments.
6. Continuous compliance and training:
Regular security training customized for healthcare professionals will help your staff remain vigilant and meet regulatory standards. Training should focus on secure data handling and phishing prevention.
NCC Group: Your partner for streamlined compliance and peace of mind
At NCC Group, our hospital cyber security program reduces the complexity and costs of compliance, allowing you to focus on patient care. We support your staff all the way from initial assessments to ongoing compliance, ensuring they're equipped to handle current and emerging threats.
Don't let these new requirements overwhelm your organization. Let us help you implement a comprehensive cyber security strategy right away.
Keep up with NY's cyber security regulations
Take the first step—contact us today to learn how we can assist you in achieving this critical compliance.