Stethoscope on laptop showing cybersecurity regulations for New York healthcare facilities

New York State Healthcare Facilities Looking at New Cybersecurity Regulations, New Funding in 2024

The New York healthcare industry will need to tighten up its cyber defenses in 2024, but it will also have access to a total of $500 million in new funding from the state to make it happen. The governor’s office has proposed new statewide cybersecurity regulations for hospitals that will be published in the State Register on December 6.

After that there will be an open commentary period lasting until February 5, and impacted healthcare facilities will then have at least the remainder of 2024 to come into compliance. The move is part of an ongoing statewide digital defense strategy that echoes the one the federal government is currently undertaking, with a focus on new cybersecurity regulations for critical infrastructure sectors.

New York healthcare systems ordered to boost defenses against criminal hacking, appoint CISOs

The new cybersecurity regulations essentially apply to healthcare facilities that offer in-person patient care and already fall into the bucket subject to Health Insurance Portability and Accountability Act (HIPAA) rules, but will not supersede or supplant anything in HIPAA. State hospitals will be required to have structured cybersecurity programs that include certain risk analysis and defensive measures. They will also be required to have incident response plans, face new breach reporting requirements, and periodically test plans to ensure that patient care remains functional in the midst of a serious incident.

Impacted facilities in the state that do not already have a CISO will be required to appoint one to regularly review and enforce the new policies. The cybersecurity regulations will also require that anyone accessing internal healthcare networks from the outside, such as a remote worker, be required to use a multi-factor authentication (MFA) method to log in.

Governor Kathy Hochul’s FY24 state budget includes $500 million in available funding to help healthcare facilities come into compliance with these new cybersecurity regulations. The announcement from the governor’s office said only that applications for this funding will be available “soon.” The draft indicates that rural areas, which are more likely to struggle with maintaining adequate IT staff and infrastructure, and smaller healthcare facilities will be prioritized in receiving this money over the larger and better-funded systems that are anchored in major cities. Grant money per facility could range from $50,000 to $10 million depending on size and need, with the maturity of existing cybersecurity programs and the bed count as major determining factors.

Emily Phelps, Director of Cyware, notes that the draft’s allowance of contracting many of these functions to third-party services will likely be key: “With our interconnected world, it is true we need interconnected defenses. A crucial aspect is a focus on collective defense and software supply chain security in healthcare. Collective defense involves leveraging shared knowledge and resources to improve the overall cybersecurity posture of all involved entities. In healthcare, where organizations deal with sensitive data across modern and legacy systems, leveraging healthcare ISACs and trusted intelligence sharing help these entities become more proactive. Furthermore, the emphasis on evaluating and testing third-party security is a proactive measure to secure the software supply chain. Healthcare organizations rely heavily on various software solutions and third-party services, making them vulnerable to supply chain attacks. Regular testing and policy establishment for third-party security will help mitigate these risks.”

The cybersecurity regulations are in a draft state at present and could be revised before organizations are asked to come into compliance, but at the moment the state wants a two-hour window for reporting of major healthcare data breaches. That would likely be the world’s shortest window if the requirement stays in place; India established a national six-hour window for certain industries in 2022, but the standard to date has been a minimum of 24 hours with 48 or 72 more common even for potentially highly sensitive incidents.

New cybersecurity regulations prompted by wave of attacks on hospitals

Though it is hardly alone in this phenomenon, attacks on New York healthcare facilities have prompted the government to take action. Hospitals and patient care have become an increasingly popular target for ransomware gangs in recent years due to the perception that they cannot afford not to pay, but they are also a popular target for data extortion with individual medical records sometimes selling for hundreds of dollars each on the dark web. At least one emerging and highly active ransomware gang, Rhysidia, appears to almost exclusively focus on attacking hospitals.

The new cybersecurity regulations also build on New York’s ongoing strategy for securing critical infrastructure, which was first announced in August but is tied to moves that the Governor’s office has been making since 2022. The state has already announced upgrades to the New York Security Operations Center, updated policies and standards for state government agencies, and strategic outreach to private critical infrastructure partners. A year ago the state passed similar new cybersecurity regulations for the energy industry and is likely to follow the federal government’s lead in prioritizing attention to other sectors such as water and transportation.

Though New York is among the states making more aggressive moves in this area, healthcare attacks have been on the minds of municipalities since the first deaths attributed to ransomware were recorded in 2021. The most direct incident involved a facility in Cologne, Germany that year, which was forced to turn away a woman arriving by ambulance in critical condition due to necessary systems being disabled by a recent attack. The woman passed away while being re-routed to another facility. A lawsuit against an Alabama hospital also surfaced in that year, in which the plaintiff blamed the 2019 death of her baby daughter on the fact that ransomware had crippled patient monitoring systems and that staff had not noticed a dangerous change in heart rate on the paper printouts they had been forced to use. That case remains before the Circuit Court of Mobile County, Alabama.

Paul Valente, CEO & Co-Founder at VISO Trust, believes that this is the beginning of a trend among states: “The lack of funding for security within the healthcare sector has led to the industry becoming a primary target for cyber criminals.  Ransomware has become endemic with healthcare organizations, more frequently leaving them with no choice but to pay the ransom, rather than risk patient safety. Third-party risks pose significant challenges for hospitals due to their complex relationships with supply chain vendors and the evolving nature of cyber threats. Understaffing and outdated and complex techniques further hinder effective cyber risk management. Governor Hochul’s funding and requirements are just a starting point in safeguarding these institutions. It’s great to see New York taking the lead and it will be intriguing to see which states follow suit.”