New York state regulations aiming to boost hospital cybersecurity went into effect this month.
Here are eight things to know, according to an Oct. 8 National Law Review article.
1. The rules took effect Oct. 2 but hospitals have a year to comply with all the requirements besides one that mandates the reporting of cybersecurity incidents that affect operations within 72 hours.
2. The regulations, released by Gov. Kathy Hochul in 2023, apply to general hospitals, defined as facilities "providing medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a twenty-four-hour basis with provisions for admission or treatment of persons in need of emergency care and with an organized medical staff and nursing service, including facilities providing services relating to particular diseases, injuries, conditions or deformities."
3. New York hospitals will be required to appoint chief information security officers. The facilities' cybersecurity staffs will also have to meet certain skills and qualifications.
4. Hospitals in the state will have to enact a comprehensive cybersecurity program spanning "risk assessment, response, recovery, and data protection" as well as policies covering "asset management, access, control, training, monitoring, and incident response."
5. The state's hospitals will have to undergo regular cybersecurity testing, such as scans and penetration testing, and meet ongoing training and monitoring mandates.
6. The rules require multifactor authentication for external network access.
7. Hospitals' third-party cybersecurity vendors will also have to meet certain standards.
8. The requirements are expected to cost hospitals between $50,000 and $2 million a year each. The state provided $650 million in funding for implementation costs.