Read to discover what organizations need to know regarding recently published regulations that require general hospitals in the New York State to comply with related to cybersecurity.
Earlier this month, the New York Department of Health (DOH) published regulations that require general hospitals in New York State to comply with a variety of rules related to cybersecurity, including protecting patients’ health information (PHI) and personally identifiable information (PII).
While full compliance isn’t required until October 2, 2025, effective immediately the more than 190 hospitals in New York must report certain cybersecurity incidents to the Department of Health within 72 hours. This new regulation intends to augment, not replace any of the current federal Health Insurance Portability and Accountability Act (HIPAA) security rule requirements.
“There are many enhanced requirements included in these new regulations, but the 72-hour reporting deadline will be most challenging as these types of incidents often occur at times when hospitals are under-resourced and focused on clinical care and IT recovery,” said Gina Greenwood, JD, CIPP/US, Partner, Chair of Privacy, Security and Breach Practice Group at Nelson Mullins.“ Effective planning and structured preparation will be critical to compliance - and survival. Fortunately, these activities are valuable in improving an organization’s overall cyber resilience.”
Working with clients and partners in New York and across the country, we are advising all our clients to pay attention and identify actions needed. New York facilities need to take the time to prepare and roll out process changes, however, hospitals across the country should expect similar strengthened regulations to help protect care delivery systems and data.
What do hospitals need to do?
Here are some of the key requirements that hospitals need to ensure they are following:
- CISO: The new regulations require that hospitals ensure they have a qualified individual serving as Chief Information Security Officer (“CISO”) or virtual CISO (“vCISO”). For organizations that do not have the resources to employ a full-time CISO, Beazley Security offers a vCISO program that provides a qualified CISO on a flexible basis to give guidance, planning, and oversight necessary to meet the new requirements.
- Cybersecurity Program & Policies: Implement a cybersecurity program and/or policies that address issues like vendor or third-party service provider management, data governance, and systems and application development. Policies should include incident response plans, multi-factor authentication, and penetration testing as part of a hospital’s HIPAA compliance program. Beazley Security’s Security Beazley Security’s Security Policy Review and Development services assess a client’s existing security policies and offer tailored recommendations based on specific industry security controls or custom organizational requirements. Further, the company’s Incident Response Plan Development service gives organizations a comprehensive tailored incident response plan (IRP) to help them effectively respond to cybersecurity incidents and data breaches.
- Awareness Training and Risk Assessments: Provide cybersecurity awareness training to all employees to ensure they are aware of risks and ensure system access privileges are regularly reviewed. Hospitals also need to conduct annual security risk assessments of their information systems, including penetration testing or ongoing exposure management programs, to help identify risks and prioritize activities that strengthen controls. Further, the new regulations require a data breach notification plan to be established, and that audit records be maintained for at least six years, which is in line with HIPAA requirements.
Beazley Security has the benefit of having access to volumes of data, including decades of historical claims and cause of loss information. This helps us advise our clients on specific risk factors that we’ve experienced in the field and provides practical guidance on what tactics yield the greatest impact on their risk factors. We’re also able to leverage this to help clients develop a customized Incident Response Plan, specific to size, region, and specialties.
When you begin to strategize and prepare for these new requirements, Beazley Security is here to help. Contact our Advisory team or visit https://beazley.security/clients/healthcare to learn more about Beazley Security tools and services for healthcare organizations.
