Adrian Johnson
In an effort to address cybersecurity threats in hospitals in New York, the state Department of Health proposed a new rule in December aimed at safeguarding hospital systems and nonpublic information. The proposed regulation, which is open for public comment until Feb. 5, would require hospitals to establish a cybersecurity program and take steps to assess internal and external risks.
The rule is meant to build on the Health Insurance Portability and Accountability Act and is not intended to replace any of the HIPAA security rule’s requirements. Compliance with the HIPAA security rule, by way of aligned policies and procedures, a holistic risk analysis, and control implementation against the implementation specifications, forms the bedrock of conformity with the proposed New York regulation. But compliance with the HIPAA security rule is only meant to serve as a starting point in addressing the proposed regulation.
To that end, the following may require a topical refresh to ensure continued alignment:
- Cybersecurity program, policies and procedures
- Chief information security officer
New York hospitals may want to consider updating or enhancing current policies in anticipation of these changes. Considerations include:
- Covered data set: Define data
- Audit trails and retention
- Cybersecurity personnel
- Third-party vendor management
- Multi-factor authentication
- Incident reporting
New York hospitals should consider the following:
- Organizations should ensure full compliance with the HIPAA security rule
- If the status of HIPAA compliance is not clearly understood by leadership, an assessment should be performed to identify any compliance gaps and to begin remediation thereof
- Remediation efforts may take a considerable amount of time or investment
- If an organization currently operates a high-performing security program that is in compliance with the HIPAA security rule and aligned to an industry cybersecurity framework, these New York state proposed rule changes should not require significant effort to update polices, processes or technologies
- Identify and formally document compensating controls as the proposed regulation implies a level of risk-based flexibility in the design of protections similar to the HIPAA security rule
Until the rule is published, commented on and finalized, significant changes may occur in the proposed legislation. However, once the requirements are finalized, New York hospitals will have one year to comply. Incident reporting requirements are effective immediately upon rule adoption.
