1 min read

New York takes bold steps to strengthen hospital cybersecurity

New York takes bold steps to strengthen hospital cybersecurity

The state recently implemented cybersecurity regulations targeted at general hospital's breach reporting requirements.

 

What happened 

As of October 2, 2024, New York adopted cybersecurity legislation in response to the trend of cyberattacks targeting hospitals. The Department of Health reports they are addressing at least one relevant incident each month since 2023. Attacks often disrupt patient care and can lead to stolen patient data. 

The new law requires that general hospitals in New York report any material cybersecurity incidents to the New York State Department of Health within 72 hours of discovery. The timeframe has received an extension from the originally proposed 2 hour window. Material incidents are also defined as events that could harm hospital operations. 

Hospitals will be required to conduct annual security risk assessments, establish a detailed incident response plan, and appoint a Chief Information Security Officer (CISO). 

Related: HIPAA Compliant Email: The Definitive Guide

 

What was said

In a press release, New York Governor Hochul said, “Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals. These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.” 

 

Why it matters

The legislation directly addresses the rising threat of cyberattacks that have increasingly targeted institutions. With healthcare systems being a prime target due to the value of patient data, the legislation acts as an escalation of HIPAA’s Breach Notification Rule. In the long run this policy aims to improve cybersecurity planning and hospital response.  

Related: Top 12 HIPAA compliant email services

 

FAQs

What is the Breach Notification Rule? 

It requires covered entities under HIPAA to notify individuals, the HHS, and in some cases, the media if a breach occurs.

 

When does a cyberattack need to be reported to the HHS? 

If it results in a breach of unsecured patient information of 500 or more individuals.