Getty Images

NY Law Shows Reasonable Cybersecurity Standards For Health Providers

A Journal of AHIMA article states that reasonable cybersecurity standards for healthcare providers to follow are needed.

The pandemic has brought about an increase in healthcare-related electronic information and an increased need for health information regulations, according to an op-ed published in the Journal of AHIMA.  

“Not only has electronic information become more complex but, during the last year and a half, the United States has seen the enactment of privacy laws at the state level intended to protect personal information,” the journal article states.  

Several states including California, New York, and Virginia, have enacted privacy laws, which were referenced in the State Privacy Laws May Have Implications for Healthcare Providers Journal of AHIMA piece from 2020.  

“If one or more of these privacy laws apply to a healthcare provider, that provider is obligated to protect defined personal information and, if it fails to do so, it might become subject to penalties imposed by a regulator,” the op-ed states. “Moreover, depending on the privacy law to which it is subject, the provider might find itself a defendant in a civil action in which the plaintiffs seek compensatory damages and attorneys’ fees.” 

Healthcare providers need to take actions to avoid liability by enacting reasonable “creation, storage, transmission, and overall handling of personal electronic information.” 

The op-ed cites the New York SHIELD Act as the example: “‘[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.’” 

To be in compliance with the act, a person/business must implement a data security program that meets certain requirements.  

The Journal of AHIMA cites the “reasonable” cybersecurity requirements as an example for healthcare providers to follow, including the administrative requirements of having a designated employee coordinate the security program, identifying foreseeable risks, assessing safeguards, training employees on security practices.  

The journal cites the “reasonable” technical requirements of the NY law including assessing risks in network and software design, assessing risks in storage and transmission of data, preventing and responding to cyber-attacks or system failures and testing regularly.  

Lastly, the journal cites the “reasonable physical requirements” as assessing the risks of information storage and disposal, protections against unauthorized access and proper disposal of private information.  

The article also cites the need for healthcare providers to be in compliance with HIPPA and the Health Information Technology and Clinical Health Act.  

“Care must be taken here,” the journal article states. “Every state privacy law has a carve-out for ‘protected health information’ under HIPAA. However, healthcare providers have a lot of personal information not subject to HIPAA, including information on employees and visitors to facilities.” 

“In other words, healthcare providers should expect to be subject to both HIPAA and state privacy laws depending on the personal information that the entity has acquired,” it continues.  

In conclusion, the Journal of AHIMA states that healthcare providers “must be aware of what it is subject to, and must be in compliance with, whatever it is subject to. The requirements set out above through the SHIELD Act can be a used as a measure of what compliance—and reasonableness—might be.”  

Next Steps

Dig Deeper on Cybersecurity strategies