New York Governor Kathy Hochul is advocating for stringent cybersecurity regulations for the state’s hospitals in response to a series of disruptive cyber attacks. The proposed rules compel hospitals to establish comprehensive cybersecurity programs, evaluate risks, deploy defensive measures and infrastructure, and appoint chief information security officers.
Incident response plans, including procedures for notifying appropriate authorities during an attack, are mandated, with a focus on ensuring uninterrupted patient care during system restoration tests. Governor Hochul emphasized the interconnected defense needed in today’s cyber landscape and positioned the proposed regulations as a leading blueprint for New York’s resilience against cyber threats.
As reported by the Wall Street Journal, the proposals also call for hospitals to delineate secure practices for software application use and incorporate measures like multifactor authentication. Governor Hochul’s budget for the upcoming fiscal year includes $500 million to support hospitals in aligning their technology systems with the proposed regulations.
The rules, currently under review by the Public Health and Health Planning Council, will be open for public comment after publication in the State Register on December 6. If approved, the regulations will take effect one year after finalization, building on the broader statewide cybersecurity strategy introduced by Governor Hochul in August.
Acknowledging the escalating cyber threats faced by hospitals, New York State Chief Cyber Officer Colin Ahern highlighted the importance of enabling healthcare institutions to defend against attacks. The governor’s office stressed that recent cyber attacks on healthcare facilities have resulted in patient diversions, procedure cancellations, service limitations, and the reliance on paper records.
Governor Hochul’s proactive approach to cybersecurity aligns with her commitment to safeguarding patient data, as demonstrated by the imposition of fines on companies failing to protect patient information in the aftermath of ransomware attacks.