NY Proposes Healthcare Cybersecurity Regulations With $500 Million In Funding 

Yesterday, New York Governor Kathy Hochul proposed a new set of cybersecurity regulations that would apply to hospitals across the state. The proposal also included $500 million in funding to help healthcare facilities upgrade their technology systems to meet the requirements of the proposed rules.
If adopted by the Public Health and Health Planning Council this week, the regulations will be published in the State Register on December 6th requiring hospitals to implement infrastructure to defend against and prevent cyberattacks and develop incident response plans.
New York hospitals will also be required to:

  • Establish a CISO role  
  • Use MFA  
  • Establish policies for evaluating and testing third-party security
  • Run tests to ensure patient care would continue should there be an incident

“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” Hochul stated.
“These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

Emily Phelps, Director, Cyware had this to say:

   “Governor Kathy Hochul’s new cybersecurity regulations proposal for New York hospitals represents a significant step in reinforcing the resilience of healthcare facilities against cyber threats. Mandating the establishment of a Chief Information Security Officer (CISO) role and enforcing Multi-Factor Authentication (MFA) aim to fortify the defenses of healthcare systems.

   “With our interconnected world, it is true we need interconnected defenses. A crucial aspect is a focus on collective defense and software supply chain security in healthcare. Collective defense involves leveraging shared knowledge and resources to improve the overall cybersecurity posture of all involved entities. In healthcare, where organizations deal with sensitive data across modern and legacy systems, leveraging healthcare ISACs and trusted intelligence sharing help these entities become more proactive.

   “Furthermore, the emphasis on evaluating and testing third-party security is a proactive measure to secure the software supply chain. Healthcare organizations rely heavily on various software solutions and third-party services, making them vulnerable to supply chain attacks. Regular testing and policy establishment for third-party security will help mitigate these risks.”

Paul Valente, CEO & Co-Founder, VISO Trust follows with this:

   “The lack of funding for security within the healthcare sector has led to the industry becoming a primary target for cyber criminals.  Ransomware has become endemic with healthcare organizations, more frequently leaving them with no choice but to pay the ransom, rather than risk patient safety.  

   “Third-party risks pose significant challenges for hospitals due to their complex relationships with supply chain vendors and the evolving nature of cyber threats. Understaffing and outdated and complex techniques further hinder effective cyber risk management. Governor Hochul’s funding and requirements are just a starting point in safeguarding these institutions. It’s great to see New York taking the lead and it will be intriguing to see which states follow suit.”

Given that the negative outcome that can happen when cybersecurity in health care isn’t top of mind was in the news recently, this is a good move by New York State as prevention is better than pwnage.

Leave a Reply

%d bloggers like this: