November 13, 2023

Governor Hochul Announces Proposed Cybersecurity Regulations for Hospitals throughout New York State

Governor Hochul Announces Proposed Cybersecurity Regulations for Hospitals throughout New York State
Nation-Leading Proposed Regulations Backed by $500 Million in Health Care Information Technology Funding; Advance New York State’s Cybersecurity Strategy
Improved Cybersecurity to Help Hospitals Maintain Availability of Systems Essential for Providing Patient Care and Protection of Health Information

This release was originally distributed by the Governor's Press Office. The original release can be viewed on the Governor's website. 

Governor Kathy Hochul today announced the release of nation-leading statewide proposed cybersecurity regulations for hospitals, which will help the state’s hospitals establish policies and procedures to safeguard health care systems from growing cyber threats. Governor Hochul’s FY24 budget includes $500 million in funding that health care facilities may apply to upgrade their technology systems to comport with the proposed regulations.  

"Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals," Governor Hochul said. "These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”  

The proposed regulations aim to strengthen the protections on hospital networks and systems that are critical to providing patient care, as a complement to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule that focuses on protecting patient data and health records. Under the proposed provisions, hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.  

New York State Health Commissioner Dr. James McDonald said, “Under Governor Hochul’s leadership, New York State has significantly enhanced its cyber defenses, which are critically important to our health care system. When we protect hospitals, we protect patients. These nation-leading draft cybersecurity hospital regulations build on the Governor’s state of the state priority by helping protect critical systems from cyber threats and ensuring New York’s hospitals and health care facilities stay secure.”  

Additionally, the proposed regulations require that hospitals develop response plans for a potential cybersecurity incident, including notification to appropriate parties. Hospitals will also be required to run tests of their response plan to ensure that patient care continues while systems are restored back to normal operations.  

The proposed regulations mandate that each hospital’s cybersecurity program includes written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility. Hospitals will also be required to establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital.  

The proposed regulations also require hospitals to establish a Chief Information Security Officer role, if one does not exist already, in order to enforce the new policies and to annually review and update them as needed. Additionally, the proposed regulations require the use of multi-factor authentication to access the hospital’s internal networks from an external network.  

The $500 million in funding was included in the Governor’s FY24 budget and will be part of an upcoming statewide capital program call for applications, opening soon. These funds will spur investment in modernization of health care facilities as well as utilization of advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.  

If adopted by the Public Health and Health Planning Council this week, the regulations will be published in the State Register on Dec. 6, and undergo a 60-day public comment period ending on Feb. 5, 2024. Once finalized, hospitals will have a year to come into compliance with the new regulations.  

New York State Chief Cyber Officer Colin Ahern said, “Under Governor Hochul's leadership, the Department of Health is publishing draft cybersecurity regulations that will strengthen protections for hospital systems across the state. These draft regulations build upon the statewide cybersecurity strategy Governor Hochul released in August. As hospitals face growing cyber threats, it is imperative that we enable them to defend against attacks and these draft regulations and financial commitment do just that. We look forward to receiving public feedback over the next 60 days before finalizing the regulations to support improved cyber defenses and resilience for hospitals statewide."  

Last year, the United States Department of the Treasury, the Federal Bureau of Investigation, and Cybersecurity and Infrastructure Security Agency warned that hospitals were the target of cyberattacks – and some New York hospitals were among those targeted. Cyberattacks have an immediate impact on hospitals from patient diversions and procedure cancellations to a transfer from electronic to paper records that slow down critical services.  

Governor Hochul recently announced New York’s first-ever statewide cybersecurity strategy aimed at protecting the State’s digital infrastructure from today’s cyber threats. The strategy provides public and private stakeholders with a roadmap for cyber risk mitigation and outlines a plan to protect critical infrastructure, networks, data, and technology systems.  

New York State Homeland Security and Emergency Services Commissioner Jackie Bray said, “The availability of essential health care services is critical and with the introduction of these proactive, common-sense regulations, New York is taking meaningful steps to protect patients, while also building a cybersecurity roadmap for the rest of the nation to follow.”  

New York State Chief Information Officer Dru Rai said, “When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York’s aggressive and comprehensive whole-of-state approach. We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state’s hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York.”  

 Last month, Governor Hochul issued a proclamation designating October as cybersecurity awareness month - this year marking the 20th anniversary of the event as part of an effort to engage and educate the public about cybersecurity and provide tools and other resources to help all New Yorkers stay safe online. 

For more information, visit Governor Hochul's website on enhancing cybersecurity across New York State, the ITS Chief Information Security Office website, and follow the agency on X, formerly known as Twitter, Facebook and Instagram (#NYSCyber).