New Cybersecurity Regulations under the NYS Hospital Code Proposed by Gov Hochul

This article was written by Carl Cadregari, Executive Vice President, FoxPointe Solutions & Brandon Agostinelli, Managing Security Consultant at FoxPointe Solutions.

Without a doubt, supporting the continually cyber-attacked infrastructures of our healthcare providers is on the minds of every person in leadership roles at every health system. Anything that can help protect our valuable systems and data and support the missions of our health systems should be explored. Regarding this recent proposed update to the NY Hospital Code (announced on November 13, 2023), when you dig into these suggested updates, there are a limited set of absolutely “new” and required updates to your cyber controls and defenses. Our Governor has stated that the regulations are meant to layer on top of the existing HIPAA requirements and include additional protections, reporting deadlines, and mandatory cyber protection updates.

The good news is that the Governor is proposing up to $500M in funding that would be available to be applied for by your hospital to help defray the costs associated with implementing the technologies and changes as required by the law. However, there is no relief for the mandatory changes if you are not granted any funding.

Overall, the new controls in the regulation are focused on hospitals’ data and cyber protections and look, in many ways, very similar to those required by HIPAA (and other data protection laws like the new Federal Trade Commission Safeguards law, Version 2 of the NY Department of Financial Services Cybersecurity Regulation, NY SHIELD Act, etc.) with a higher level of specificity, and a few notable changes. The mandatory requirement is for you to focus your documented cybersecurity controls, policies, and procedures based on a detailed (and documented) risk assessment. This is intended to supplement existing HIPAA security and privacy requirements. The most significant wording difference between the laws is that the term all nonpublic information, not just ePHI, is used. The other notable changes are that a “compliant cybersecurity program” must include the following activities:

• Apply a “defensive infrastructure” to protect the hospital’s information systems and data stored on those information systems from unauthorized access.
• Periodically assess the strength of the cybersecurity infrastructure to ensure that patient care can continue while systems are restored to normal operations during and after cyber incidents.
• Securely dispose of any nonpublic information identified that is no longer necessary for business operations.
• Establish policies for evaluating and testing the security of third-party applications used by the hospital.
• Implement encryption to protect nonpublic information held or transmitted by the hospital.
• Require the hospital to use risk-based authentication or multi-factor authentication controls to protect against unauthorized access to its nonpublic information or information systems.

A “new” definition for a “cybersecurity incident” is one that:

• Has a material adverse impact on the normal operations of the hospital.
• Has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity, or
• Results in the deployment of ransomware within a material part of the hospital’s information systems.

One of the significant changes surrounds information retention. HIPAA requires that any covered entity or business associate maintain “HIPAA” information (45CFR164.316) from its last date of change or update for six years past that date, but the new proposal require you to maintain records of the cybersecurity systems for six years, which records must include any audit trails detecting and responding to cybersecurity events that have a reasonable likelihood of materially harming normal operations of the hospital and assessments identifying areas of the cybersecurity system that require improvement, updates, or redesign.

Additionally, you will need to designate a qualified senior or executive-level staff member with proper training, experience, and expertise to serve as Chief Information Security Officer or “CISO” (which is a significant change as HIPAA requires a named Security Official) to enforce (not just implement) the new policies and to annually review (not just periodic) and update them as needed; and, that person may either be an internal or contracted from a third party. In addition to existing reporting/notification requirements, the CISO would be responsible for notifying the NYSDOH within two hours of a cybersecurity incident. There is also a requirement to use qualified cybersecurity personnel or a third-party service provider to manage the cybersecurity program.

The State Registrar (https://dos.ny.gov/state-regis...) should have the proposed regulation published around December 6, 2023. That will be followed by a 60-day public comment period at which point the comments will be reviewed and responded to before the regulation is put into effect. Once put into effect, you will have one year to comply with the new requirements; but the obligation to report cybersecurity incidents to NYSDOH would be effective immediately, which would mean your CISO would need to be on-board at that time. When the rule is published, we expect there to be additional information regarding the possible sanctions for non-compliance.

As for the future, it is reasonable to think that our other healthcare providers that are not part of a hospital, at some point on the near future any approved regulation will be updated to include any entity that is in possession of our valuable health data.

Call to Action: While this is still a proposed law, due to the current cyber risks and attacks not slowing down, it is reasonable that there is a strong chance this rule will pass. As such, it is time to validate that a qualified senior or executive-level staff is formally designated with the title of CISO. Additionally, it is vitally important to ensure that you have a risk assessment program that is implemented and has assessments performed over all security and privacy-related controls that govern your data on an annual basis. A compliant organization is one that ensures policies and procedures are documented, controls are implemented, and risk assessments are regularly performed in order to maintain a secure environment over time.

The FoxPointe Team is ready to answer any questions, support your clients’ needs, from vCISO to general consulting to risk and gap assessments & more. For more information, please contact Brandon Agostinelli bagostinelli@foxpointesolutions.com or Carl Cadregari at ccadregari@foxpointesolutions.com.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.