Nation-Leading Proposed Regulations Backed by $500 Million in Health Care Information Technology Funding; Advance New York State’s Cybersecurity Strategy
Improved Cybersecurity to Help Hospitals Maintain Availability
Governor Kathy Hochul today announced the release of nation-leading statewide proposed cybersecurity regulations for hospitals, which will help the state’s hospitals establish policies and procedures to safeguard health care systems from growing cyber threats. Governor Hochul’s FY24 budget includes $500 million in funding that health care facilities may apply to upgrade their technology systems to comport with the proposed regulations.
"Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals," Governor Hochul said. "These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”
The proposed regulations aim to strengthen the protections on hospital networks and systems that are critical to providing patient care, as a complement to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule that focuses on protecting patient data and health records. Under the proposed provisions, hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.
Additionally, the proposed regulations require that hospitals develop response plans for a potential cybersecurity incident, including notification to appropriate parties. Hospitals will also be required to run tests of their response plan to ensure that patient care continues while systems are restored back to normal operations.
The proposed regulations mandate that each hospital’s cybersecurity program includes written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility. Hospitals will also be required to establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital.
The proposed regulations also require hospitals to establish a Chief Information Security Officer role, if one does not exist already, in order to enforce the new policies and to annually review and update them as needed. Additionally, the proposed regulations require the use of multi-factor authentication to access the hospital’s internal networks from an external network.
The $500 million in funding was included in the Governor’s FY24 budget and will be part of an upcoming statewide capital program call for applications, opening soon. These funds will spur investment in modernization of health care facilities as well as utilization of advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.
If adopted by the Public Health and Health Planning Council this week, the regulations will be published in the State Register on Dec. 6, and undergo a 60-day public comment period ending on Feb. 5, 2024. Once finalized, hospitals will have a year to come into compliance with the new regulations.
No comments:
Post a Comment