Understanding new NY hospital cybersecurity regulations

Transcript - Understanding new NY hospital cybersecurity regulations

Jill McKeon: This could really be a sign of what's to come for other states and even on a federal level. Of course, we don't know exactly how that will unfold, but the fact that this legislation was enacted is certainly a big deal.

Kelsey Waddill: It's not every day that a state implements a first-of-its-kind law that could set the tone for cybersecurity legislation on the state level going forward. But in case you didn't know, New York recently took such a step.

Waddill: Hi, I'm Kelsey Waddill, multimedia manager and managing editor at Xtelligent Healthcare, and today we have with us Jill McKeon, our associate editor of Healthtech Security, to break down the specifics of this law and what it could mean for cybersecurity legislation and strategy in the future. Well, Jill, thank you so much for coming on Healthcare Strategies today to talk about this interesting cybersecurity legislation that just came out.

McKeon: Yeah, thank you for having me.

Waddill: I'm really looking forward to kind of digging into this, especially as someone who...cybersecurity is not my site. I have a lot to learn on the cybersecurity front. So, I'm really curious about how this one law is going to factor into the larger picture here. Let's dive right in about what this law is. So, New York State has some new hospital cybersecurity regulations, as we mentioned. They went into effect on Oct. 2, 2024, so these are already live. Can you just kind of start us out with an overview of what these regulations entail and who they apply to?

McKeon: As you said, these regulations went into effect on Oct. 2. Effective immediately, general hospitals in New York State have to report cybersecurity incidents to the New York State Department of Health within 72 hours of discovery. So that's the main provision, and these rules specifically apply to the about 195 general hospitals in the state, which by definition means a hospital that provides medical or surgical services, primarily inpatient, on a 24-hour basis. So these rules will not apply to nursing homes, diagnostic centers, other healthcare organizations. It's strictly for general hospitals in the state of New York. That 72-hour timeline is effective now, but then effective Oct. 2, 2025, these hospitals will also have to establish cyber programs that feature specified capabilities surrounding things like user authentication controls and audit trails. They also have to appoint a chief information security officer. So there's a lot of other provisions that will be top of mind for these New York general hospitals in the coming year as well.

Waddill: Yeah, absolutely. What is this transitioning from?

McKeon: Essentially, HIPAA is still the main law in terms of protecting patient privacy in cyber incidents. There are similar laws in the financial sector in terms of reporting cyber incidents in a tighter timeframe. A lot of experts I've spoken to have said this is kind of reminiscent of that. Those were enacted in 2017. So this is sort of a first-of-its-kind regulation.

Waddill: Oh, wow. Okay. That context is super helpful. We're going to reel back in for a second now and just dive into the definition of a cybersecurity incident. It's something that's really important to put some parameters around, so how does this regulation define a cybersecurity incident that these general hospitals are going to have to report?

McKeon: Yeah, and that's an important call-out. What is a cybersecurity incident according to the parameters of this law? According to this regulation, a cyber incident is something that has one, a material adverse impact on normal operations, two, has a likelihood of materially harming any part of normal operations -- so if there's any likelihood at all that it could have an impact -- or three, if it results in the deployment of ransomware within a material part of the hospital's information systems. And it's also important to note that these hospitals will be required to keep documentation of these incidents for at least six years in case it is requested by the New York State Department of Health, so it's important to have really good documentation surrounding any cybersecurity incident that might occur.

Waddill: Yeah. And probably, they're going to have to invest in some storing capabilities to keep all that data, it sounds like, for six years. May be time to get on the cloud or something. Let's dive into the 72-hour deadline for reporting cybersecurity incidents to the New York State Department of Health specifically, because I know that's a kind of unique part of this law. Do you foresee that being a challenge for hospitals to maintain that regulation?

McKeon: Yeah, it's definitely a very tight timeline, but actually, in the proposed regulation, it was a two-hour deadline.

Waddill: Oh my goodness. Wow.

McKeon: So they've expanded that a bit, so that gives hospitals a bit more time to kind of figure out: Is this a cybersecurity incident, and who do we report it to? It will be really important for these hospitals to have kind of a chain of communication. If someone discovers an incident and then reports it to the chief information security officer, then they're able to report it to the state. That disclosure can happen as soon as possible. They don't need to be done with their investigation or anything like that. It's just about looping in the state and quickly reporting it upon discovery. But if we look at HIPAA breach reporting requirements, entities have 60 days to report breaches, and we've seen instances where that 60-day timeline isn't enough, and some entities are reporting this months later.

Waddill: Wow.

McKeon: This regulation really just requires these entities to notify the state as soon as they've determined the cybersecurity incident, and then breach reporting obviously comes later on, but I imagine that there will be some challenges with getting together the chain of communication to report these incidents.

Waddill: Yeah. We've been focusing a lot on the 72-hour deadline, for good reason. That's an important part of this new legislation. But I also wanted to zoom out a little bit and discuss the broader implications of this rule. What are some of the other notable provisions that are included in this legislation that healthcare leaders should be aware of?

McKeon: Yeah. There are a lot of other provisions that we touched on earlier that will take effect in 2025. I think one of the big ones is requiring hospitals to have a designated chief information security officer. That person has to be an executive-level staff member with the right training or expertise. If they don't have that person on staff, they could outsource that role to a third party, bringing in the CISO from a third-party organization, as long as that person plays a main role in establishing the hospital's cybersecurity policy and continually assessing risk in that role. So that's a big adjustment for any hospital that doesn't already have one. Some other notable provisions include really specific and prescriptive requirements surrounding certain security controls. Hospitals have to use multifactor authentication, they have to conduct an annual risk assessment, and they have to adopt a written incident response plan. So in terms of implementation, also, because these things aren't free, the legislation also includes $500 million in funding to aid in compliance. So that will be something that I imagine the hospitals, over the next year, will be focusing on implementing.

Waddill: We've already briefly mentioned HIPAA, and as most people know, HIPAA is a very overarching, very comprehensive regulation around these kinds of health information security procedures. So, you touched on this a little bit already, but what does that interaction between that general overarching law and this specific regulation for the state of New York look like? Can you break that down for us?

McKeon: This legislation really places a lot of emphasis on being a complement to HIPAA rather than competing against it. HIPAA still sets that standard, but these requirements are specific mandates that the hospital has to take to safeguard their systems. For example, HIPAA doesn't specifically mention that hospitals have to implement multifactor authentication. They would just say that you need to adopt reasonable and appropriate safeguards to protect patient data, whereas this regulation is really prescribing specific safeguards that these entities will have to implement. So, it's a lot more specific to general hospitals in New York. I don't think it'll be an issue of which regulation should we choose to comply with over the other. They're really working together.

Waddill: That's good, yeah. It's already kind of confusing enough. Don't want to have to make people try to figure out which one they're supposed to follow. Speaking of the broader picture here, what does this mean for the industry? This is very specific to the state of New York. It's not even applying to all providers in the state of New York, as you mentioned.

McKeon: Right.

Waddill: So, why is this such a big deal? What are the implications for the broader healthcare industry?

McKeon: Yeah. What I've heard from some experts that I've spoken with over the last couple weeks is that this could really be a sign of what's to come for other states, and even on a federal level. Of course, we don't know exactly how that will unfold, but the fact that this legislation was enacted is certainly a big deal. These regulations also align with federal priorities when it comes to creating these more prescriptive cybersecurity standards, especially considering the timing of this legislation. HHS has seen a dramatic increase in breaches involving hacking. More than three-quarters of the breaches reported to OCR last year involved hacking. So, it's really necessary to take the steps to improve healthcare cybersecurity, so I think this is a sign of that. It aligns with what the federal government is doing, and it could definitely be a signal that other states might enact similar laws.

Waddill: Looking to the future, what can hospitals in other states do today to prepare for future requirements that might mimic this one?

McKeon: Yeah. I think, like I was saying, these regulations are in alignment with certain federal entities trying to also make strides in improving healthcare cybersecurity. If you take a look at the HHS cybersecurity performance goals, or the CPGs, those can really help organizations implement key best practices. A lot of those CPGs are things that are mentioned in the New York laws, like multifactor authentication and specific controls like that. The CPGs are broken down into essential and enhanced goals, so the essential goals can help organizations tackle very common vulnerabilities and implement really basic safeguards, while the enhanced goals help organizations kind of build on their security maturity even more, with things like network segmentation and third-party incident reporting. So that's a great tool, a resource to look at to kind of prepare for any future regulations that might involve those safeguards. And also, each of the goals in the CPGs is mapped to a specific practice in the Health Industry Cybersecurity Practices, or HICP, publication, which is another great resource.

I think it's also really important to keep an eye on other progressing legislation that can help organizations prepare. I know that right now, there's the Healthcare Cybersecurity Act, which was introduced in the Senate, and it also has companion legislation in the House. That bill aims to kind of increase coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and HHS, so they will ideally collaborate a bit more on improving healthcare cybersecurity. It also proposes that CISA and HHS make cyber threat defense resources available to non-federal entities. If that passed, that would be a significant step forward in healthcare cybersecurity. There's also the Health Infrastructure Security and Accountability Act, which was recently introduced, and that aims to establish minimum standards for the sector, which could align with the CPGs that we were talking about before. So all of these regulations, you'll kind of see similar language in these proposals, and that could result in federal mandates or state-level mandates as we've seen. So we'll kind of see if that legislation passes, but even if it doesn't, there are a lot of resources available for these organizations to improve their posture today by following the best practices.

Waddill: Yeah. Jill, thank you so much for coming on, for delving into the specifics of this law with us, and also showing us a little bit of how it could tie into the bigger picture. Looking forward to having you on again.

McKeon: Great. Thank you!

Waddill: And thank you, listener, for tuning in. If you liked what you heard, head on over to Apple or Spotify and drop us a review. Speaking of reviews, we wanted to give a big shout-out to kokorat on Apple podcasts, who wrote: "Love the addition of Alivia Kaylor to this podcast. She makes this information relatable and interesting! Keep her energy on these, and I'll keep listening and learning!" We couldn't agree more, kokorat, and we're excited to have some episodes with Alivia coming up. So stay tuned. See you all next time! Music by Vice President of Editorial Kyle Murphy, and production by me, Kelsey Waddill. This is a TechTarget production.