New York State governor Kathy Hochul has proposed a $500-million shot in the arm to healthcare facilities across the state in an effort to create more robust cybersecurity protection.
Offered as a support for new regulations under consideration, the funding is included in the governor’s proposed state budget for 2024-2025. The funding would be available to qualifying facilities for use in upgrading technology and safeguarding healthcare systems against cyber threats.
“Our interconnected world demands an interconnected defense against cyber attacks,” Hochul said, “especially at hospitals.”
The proposed regulations would compel hospitals to assess internal and external cybersecurity risks, and take steps to utilize both defensive techniques as well as infrastructure to protect information systems. Prevention, as ever, is the watchword.
“When we protect hospitals, we protect patients,” said state health commissioner Dr. James McDonald. “These nation-leading draft cybersecurity hospital regulations … help protect critical systems from cyber threats, ensuring New York’s hospitals and healthcare facilities stay secure.”
The additional regulations are meant to complement existing federal security rules. The 1996 Health Insurance Portability and Accountability Act (HIPAA) law created national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
According to the Centers for Disease Control, these protective measures still allow the flow of health information needed to provide and promote high-quality healthcare.
Currently, health information finds its way into a number of databases: business associates of the hospital, healthcare clearing houses, limited datasets for research, public health, or healthcare operations.
Of some interest to any community which has observed the sometimes contradictory behavior displayed by a hospital after a successful cyber attack, Hochul’s proposed regulations would require response plans for a potential incident, including notification to appropriate parties.
Hochul’s regulations will also require hospitals to run tests of their response plan to ensure that patient care continues while systems are restored back to normal operations. Hospitals should anticipate unhappy circumstances and be prepared to function offline.
If the Public Health and Health Planning Council (PHHPC) approves, the new regulations would be published in the State Register on December 6, ahead of a 60-day public comment period ending on February 5, 2024. Hospitals would have a year to come into compliance.
Since last November, six health facilities in New York State have been hit, including Health Alliance in Kingston, Margaretville Hospital and Mountainside Residential Care Center.
The amount of patient information accessed by the hackers or ransom payments paid to them so far remains unknown. Criminal investigations continue.
Last month, Hochul issued a proclamation designating October as cybersecurity awareness month.
Join the family! 
