In a groundbreaking move, New York Governor Kathy Hochul has unveiled a comprehensive cybersecurity strategy that aims to safeguard the state's critical infrastructure, specifically its healthcare sector. This initiative, backed by a substantial $500 million investment, sets forth a series of nation-leading proposed regulations for hospitals, bolstering their defenses against ever-evolving cyber threats.
This strategic approach—announced on New York State's website on November 13—marks a significant step forward in New York's fight against cyberattacks. The proposed regulations, designed specifically for hospitals, establish a robust framework for cybersecurity risk management and incident response. Hospitals will be required to implement comprehensive cybersecurity programs, including vulnerability assessments, access controls, and security awareness training for their employees.
"Having experienced NYDFS's stringency first-hand in regards to regulation for financial services, this comes as no surprise," Krista Arndt, CISO at United Musculoskeletal Partners, wrote in a LinkedIn post on December 5. "I view it as a welcomed step in helping security teams secure the funding and support they need to keep our heads above water. With the threat landscape continuing to increase in complexity at an alarming rate, most of these proposed 'requirements' are considered core 'good' hygiene these days."
The $500 million funding allocation will play a crucial role in enabling hospitals to comply with the new regulations and enhance their cybersecurity infrastructure. The funding will support the acquisition of advanced cybersecurity tools, the training of cybersecurity professionals, and the modernization of IT systems.
Key highlights of New York's cybersecurity strategy
-
Nation-leading proposed regulations for hospitals: These regulations mandate comprehensive cybersecurity programs, vulnerability assessments, access controls, and security awareness training.
-
$500 million in funding for healthcare information technology: This funding will support the acquisition of cybersecurity tools, training, and IT modernization.
-
Unification of cybersecurity services: The strategy consolidates cybersecurity services under the Department of Financial Services (DFS), ensuring a coordinated approach to protecting critical infrastructure.
-
Expansion of cybersecurity resources: The strategy expands the New York State Police's Cyber Analysis Unit, Computer Crimes Unit, and Internet Crimes Against Children Center.
Implications for New York's healthcare sector
New York's comprehensive cybersecurity strategy is expected to have a profound impact on the state's healthcare sector. The proposed regulations will raise the bar for cybersecurity preparedness among hospitals, significantly reducing their vulnerability to cyberattacks. The $500 million funding will provide the necessary resources to implement these measures and bolster the overall cybersecurity posture of the healthcare sector.
"Under Governor Hochul's leadership, the Department of Health is publishing draft cybersecurity regulations that will strengthen protections for hospital systems across the state," said New York State Chief Cyber Officer Colin Ahern. "These draft regulations build upon the statewide cybersecurity strategy Governor Hochul released in August. As hospitals face growing cyber threats, it is imperative that we enable them to defend against attacks and these draft regulations and financial commitment do just that. We look forward to receiving public feedback over the next 60 days before finalizing the regulations to support improved cyber defenses and resilience for hospitals statewide."
Governor Hochul recently announced New York's first-ever statewide cybersecurity strategy aimed at protecting the State's digital infrastructure from today's cyber threats. The strategy provides public and private stakeholders with a roadmap for cyber risk mitigation and outlines a plan to protect critical infrastructure, networks, data, and technology systems.
This proactive approach will undoubtedly strengthen patient trust and confidence in New York's healthcare system. By safeguarding sensitive patient data and ensuring the continuity of critical healthcare services, New York is setting a high standard for cybersecurity protection in the healthcare industry nationwide.
"When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York's aggressive and comprehensive whole-of-state approach," said New York State Chief Information Officer Dru Rai. "We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state's hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York."
Ardent Health Services, a Nashville-based healthcare provider, fell victim to a ransomware attack on Thanksgiving Day, November 23, that disrupted its IT operations and forced hospitals to divert emergency room patients to other facilities. The incident highlighted the growing threat of cyberattacks to healthcare organizations, which are increasingly reliant on technology to deliver care.
RELATED: The New York Department of Financial Services (NYDFS) took a significant step toward strengthening cybersecurity defenses across the state's financial sector in early November by finalizing amendments to Part 500 of its cybersecurity regulations.
In addition to New York, several other U.S. states have implemented government regulations specifically tailored to enhance cybersecurity practices in hospitals. These regulations aim to safeguard sensitive patient data, protect critical healthcare infrastructure, and ensure the continuity of essential medical services. Here are a few examples.
California: The California Department of Public Health (CDPH) has established cybersecurity requirements for hospitals under the Health Facilities Cybersecurity Regulation. The regulation mandates comprehensive cybersecurity programs, including risk assessments, incident response plans, and employee training.
Massachusetts: The Massachusetts Center for Health Information and Analysis (MCHI) has developed the Massachusetts Electronic Health Record Security Rule, which outlines cybersecurity standards for hospitals handling electronic health records (EHRs). The rule emphasizes data encryption, access controls, and vulnerability management.
Maine: The Maine Department of Health and Human Services (DHHS) has implemented the Maine Health Data Protection Act, which includes provisions specifically addressing cybersecurity practices in hospitals. The act mandates risk assessments, incident reporting, and data breach notification procedures.
Maryland: The Maryland Department of Health (MDH) has established cybersecurity requirements for hospitals under the Maryland Health Information Security Act. The act mandates comprehensive cybersecurity programs, including risk assessments, incident response plans, and vendor management practices.
Oregon: The Oregon Health Authority (OHA) has developed the Oregon Health Records Privacy and Security Rule, which outlines cybersecurity standards for hospitals handling electronic health records (EHRs). The rule emphasizes data encryption, access controls, and employee training.