New York is putting forth a series of fresh cybersecurity regulations aimed at the state's hospitals, a move that New Hyde Park, N.Y.-based Northwell Health's chief information security officer says is a positive step signaling recognition that additional efforts are essential to safeguard hospitals from cybersecurity threats.
Under the proposed regulations, the state plans to allocate $500 million from its fiscal year 2024 budget to support facilities in enhancing their technology systems. If these regulations are approved, hospitals would be required to implement a formal cybersecurity program, along with creating plans for responding to incidents, embracing secure software design principles for internal applications and deploying security technologies like multifactor identification.
"As a CISO, I appreciate that this regulation will push hospitals to adopt more robust and standardized cybersecurity measures designed to enhance the overall security posture of the healthcare ecosystem," Kathy Hughes, vice president and chief information security officer at Northwell Health, told Becker's. "The draft regulation is recognition that cybersecurity is an important patient safety issue."
According to Ms. Hughes, the regulation sets a foundation for an all-encompassing cybersecurity program while simultaneously acknowledging the importance of tailoring cybersecurity measures to align with the individual risk assessment of each hospital, thereby allowing for flexibility.
"The regulation is a step in the right direction and acknowledgement that more needs to be done to protect hospitals against cybersecurity risks," she said. "It highlights important baseline requirements for a cybersecurity program and the need for further investment in people, process and technology to bolster their cybersecurity posture."
But there are some limitations to the regulation, according to Ms. Hughes, which includes the potential financial strain these requirements might impose on hospitals and the suggested reporting obligations for cybersecurity incidents within the department.
Ms. Hughes also emphasized that compliance with the regulation may pose difficulties for some hospital chief information security officers.
"Hospital CISOs who are not currently at a senior or executive level within their organization (as required by the regulation) may have difficulty complying with the regulation due to a lack of authority and empowerment," she said.
Currently, the suggested regulations are scheduled for review by the state's Public Health and Health Planning Council. If approved, they will be officially published in the State Register on Dec. 6, initiating a 60-day public comment period. Hospitals will then have a one-year time frame to align with the finalized requirements once they are established.