NY Forces Hospitals to Improve Cybersecurity

Unfortunately, this may be the only way to get some businesses to improve their cybersecurity practices.

Hew York is using its regulation of financial services firms as a model to regulate the security of its 152 “General” hospitals. Those are hospitals that  “provide medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a twenty-four hour basis with provisions for admission or treatment of persons in need of emergency care.”.

The regulation went into effect on October 2nd.

These regulated hospitals now have report material cybersecurity incidents within 72 hours. The hospitals whined when the draft regulation came out requiring them to report within 2 hours.

I speculate that the reporting window was set up because we see, all too often, that businesses don’t report in anything remotely timely to respond. Many will, if they think they can get away with it, not report at all.

Of course the wiggle room is in the term material. A reportable cybersecurity incident is defined as having material adverse impact on the normal operations of the hospital; having a reasonable likelihood of materially harming any part of the normal operations of the hospital; or involving the deployment of ransomware within a material part of the hospital’s information systems.

Obviously, this will require hospitals to have a decent incident response program. Far from impossible, but it means they will have to work at it. I suspect some attorneys will try to argue about what the definition of is, is. The problem for those attorneys will be if the state later finds out that their definition doesn’t match the state’s definition, they may have a bunch of billable hours. OR, alternatively, a malpractice lawsuit. The first is good for them, the second, not so much.

Like New York’s financial services cybersecurity regulations, these regulations phase in over time.

Other hospital cyber requirements under new regulations include:

• Designating a CISO – either employed directly by the hospital or as an employee of a third-party firm;
• Conducting an accurate and thorough annual security risk assessment of the hospital’s systems;
• Implementing a detailed, comprehensive cybersecurity risk program;
• Conducting regular cybersecurity testing, including scans and penetration testing;
• Maintaining systems to include audit trails designed to detect and respond to cybersecurity events;
• Implementing multifactor authentication for external facing systems;
• Limiting the use of privileged accounts to only when performing functions requiring the use;
• At a minimum annually, reviewing all user access privileges and removing or disabling accounts and access that are no longer necessary;
• Establishing a detailed incident response plan;
• Providing regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the hospital in its risk assessment, which may include annual phishing exercises and remediation for employees.

While New York estimates that the new requirements will annually cost small hospitals with fewer than 10 beds between $50,000 and $200,000; medium sized hospitals with 10 to 100 beds between $200,000 and $500,000; and large hospitals with more than 100 beds about $2 million, they have, amazingly, approved $500 million in funding to help these hospitals.

Since lobbyists have blocked any sort of sane national cybersecurity policy, we are likely to see more of this, with big states like New York and California taking the lead. BUT, you saw how quickly state privacy laws proliferated, so that may not be much comfort to those who might be next in line.

Even in the case of state laws, lobbyists play a big role in getting many of the laws watered down. But these laws are a start. Stay tuned.

Credit: Data Breach Today

by