On May 15, 2024, the New York State Department of Health (“NYSDOH”) published revisions to the proposed hospital cybersecurity regulations that it first released in November 2023.1 We previously summarized the initially released proposed regulations (the “Initial Proposed Regulations”) in a November 2023 client alert.2 Although the revised version of the proposed regulations (the “Revised Proposed Regulations”) are still in “proposed” status and have yet to be finalized, the revisions provide insight into industry reaction to the Initial Proposed Regulations and NYSDOH’s responses.
Most of the requirements of the Initial Proposed Regulations have been retained in the Revised Proposed Regulations, subject to a few modifications. Notable requirements of the Revised Proposed Regulations are summarized below:
- Requirements Applicable to Non-Public Information: The Revised Proposed Regulations would impose cybersecurity requirements with respect to “Nonpublic Information,” which includes a hospital’s confidential business-related information and information that can be used to identify a natural person. This is broader than the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) applicability to “protected health information” that can be used to identify a patient.
- Cybersecurity Program: The Revised Proposed Regulations would require hospitals to establish a cybersecurity program that features specified capabilities, including identification and assessment of cybersecurity risks, defensive infrastructure, and response to identified or detected cybersecurity events to mitigate any negative effects.
- In the Revised Proposed Regulations, NYSDOH removed a provision of the Initial Proposed Regulations that would have required the hospital’s cybersecurity program to be designed to supplement HIPAA. NYSDOH made this change in response to comments encouraging less redundancy and better alignment with HIPAA requirements. However, in written comment responses, NYSDOH noted that the Revised Proposed Regulations are still intended to supplement HIPAA.
- While the Initial Proposed Regulations focused on cybersecurity measures to protect the security and integrity of Nonpublic Information, the Revised Proposed Regulations additionally focus on continuity of the hospital’s business and operations. The revised Regulatory Impact Statement also features additional references to continuity of business and operations. The increased emphasis on business continuity may have been influenced by the recent Change Healthcare cyberattack, which had far-reaching effects on the operations of health care organizations across the country.3
- The Revised Proposed Regulations introduce a new requirement for hospitals to implement security controls to mitigate risks arising from electronic mail-based threats (such as spoofing, phishing, and fraud), and to review and update such controls on a regular basis to ensure their effectiveness against evolving threats. In addition, the hospital’s cybersecurity policy must be adopted in accordance with the hospital’s risk assessment and applicable state and federal law.
- CISO: Hospitals would be required to appoint a qualified senior or executive-level staff member with proper training, experience, and expertise to serve as Chief Information Security Officer (“CISO”). The CISO must recommend the hospital’s cybersecurity policy for approval by the hospital’s governing body and provide an annual written report to the governing body on the hospital’s cybersecurity program and material cybersecurity risks.
- The Initial Proposed Regulations required the CISO to develop the hospital’s cybersecurity policies and procedures. However, the Revised Proposed Regulations provide that the hospital must be responsible for developing and enforcing the hospital’s cybersecurity policy, and overseeing and implementing the hospital’s cybersecurity program. This revision affords hospitals additional flexibility in implementing their cybersecurity processes.
- In response to commenter questions as to whether each hospital in a multi-hospital system is required to have its own CISO, NYSDOH clarified that each hospital’s governing body must determine based on its risk assessment and organizational structure whether a single CISO can handle multiple hospitals within the organization’s network or if separate CISOs are needed for each hospital.
- Cybersecurity Personnel: Hospitals would be required to use qualified cybersecurity personnel or a third-party service provider to manage the cybersecurity program. If using a third-party service provider, the hospital would be required to implement written policies and procedures designed to ensure the security of information systems and Nonpublic Information accessed by such third party. The Revised Proposed Regulations also specify requirements for third-party service provider contracts. Hospitals that engage third-party service providers to assist with their cybersecurity programs may need to review the terms of such engagements to ensure compliance with these new requirements.
- Information System User Authentication: Hospitals would need to use multi-factor authentication, risk-based authentication, or other compensating controls for user authentication to protect against unauthorized access to Nonpublic Information or information systems. Multi-factor authentication would need to be required for accessing the hospital’s internal network from an external network, unless the CISO approves otherwise in writing.
- The Revised Proposed Regulations introduce additional requirements regarding user access privileges and privileged accounts that can be used to perform security-relevant functions that ordinary users are not authorized to perform (such as the ability to add, change or remove other accounts, or make configuration changes to information systems). Specifically, hospitals must limit user access privileges to information systems that provide access to Nonpublic Information to only those necessary to perform the user’s job. In addition, hospitals must have separate privileged accounts that are limited in number and access functions to only the quantity and capabilities necessary to perform required privileged functions. Hospitals also must review all user access privileges and remove or disable accounts and access that are no longer necessary at least annually, promptly terminate access following departures, and disable or securely configure all protocols that permit remote control of devices.
- Testing, Vulnerability Assessments, and Risk Assessments: Hospitals would be required to undertake an annual risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Nonpublic Information and information systems. Hospitals also would need to develop monitoring and testing, in accordance with the risk assessment, that is designed to assess the effectiveness of the hospital’s cybersecurity program and assess changes in information systems that may create or indicate vulnerabilities. Such monitoring and testing must include penetration testing of the hospital’s information systems by a qualified internal or external party at least annually and automated scans or manual or automated reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the hospital’s information systems based on the risk assessment. These requirements are more prescriptive than HIPAA’s requirement for “periodic” risk analyses, and hospitals may need to revise their HIPAA risk analysis plans to ensure compliance with these new requirements.
- The Revised Proposed Regulations generally retain the initially proposed requirements for testing, vulnerability assessments, and risk assessments, while additionally requiring (1) the hospital’s risk assessment to assess risks and vulnerabilities to the continuity of the hospital’s business and operations; (2) timely remediation of vulnerabilities based on the risk they pose to the hospital; and (3) that penetration testing must be conducted based on the hospital’s risk assessment.
- Audit Trails and Records Maintenance: Hospitals would be required to maintain records pertaining to systems design, security, and maintenance and to audit trails that can detect and combat significant cybersecurity threats for at least six years. This mirrors HIPAA record retention obligations, which require records pertaining to HIPAA policies to be kept for six years after their creation or policy implementation.
- Incident Response Plans: Hospitals would be required to adopt a written incident response plan designed to promptly respond to and recover from material security incidents in accordance with requirements specified in the regulations.
- 72-Hour Incident Reporting: Immediately upon finalization of the Revised Proposed Regulations, hospitals would be required to report to NYSDOH as promptly as possible, but not later than 72 hours after determining that a cybersecurity incident has occurred. Hospitals must retain documentation related to such incidents for at least six years and provide it to NYSDOH upon request.
- Several commenters expressed concern with the requirement in the Initial Proposed Regulations to report security incidents to NYSDOH within two hours of a determination that the incident occurred and had a material adverse impact on the hospital, noting that this timeframe is not consistent with industry standards. In response, the Department extended the reporting timeframe.
- Estimated Compliance Costs and Cybersecurity Funding. The state estimates significant compliance costs, ranging from tens of thousands to tens of millions of dollars per hospital. Nevertheless, the state believes the Revised Proposed Regulations are necessary, given the high-risk cybersecurity environment in which hospitals operate. In 2023, NYSDOH responded to more than one cybersecurity incident per month, several of which forced hospitals to turn away patients, stopped their billing procedures, and hampered care delivery. These incidents have impacted many New Yorkers, with over 225,000 patients potentially being affected in one breach alone. In response to comments expressing concerns regarding compliance costs, NYSDOH reiterated its belief that the significant financial impact will ultimately be outweighed by the additional levels of security these regulations will impart on hospitals and the health care system in New York. NYSDOH also pointed to $500 million in state hospital cybersecurity grant opportunities and $650 million in statewide funding for health information technology, telehealth, and cyber-related efforts as having the potential to alleviate the financial burden of compliance for affected hospitals.
Next Steps. The Revised Proposed Regulations are subject to a notice and comment period until July 1, 2024 and, if finalized, would come into effect one year after finalization—with the exception of the 72-hour security incident reporting requirement, which would take effect immediately. To comply, hospitals would need to update their cybersecurity policies and procedures, hire cybersecurity professionals, change their incident response procedures, and revise their planned security risk assessments.
These proposed regulations arrive on the heels of the expansion of cybersecurity governance, safeguards, and incident reporting requirements applicable to entities regulated under New York’s insurance law (including health insurance companies), banking law, or financial services law.4 As a whole, these regulatory developments highlight the increased expectations and scrutiny around cybersecurity programs for the health care sector.
If you have any questions concerning this alert, please contact your usual Ropes & Gray advisor or one of the authors.
--
Christine Moundas is a partner in Ropes & Gray’s health care group and co-head of the firm’s digital health initiative. Moundas provides strategic, regulatory, compliance and transactional advice to health care technology companies, health systems, pharmaceutical companies and investors. She counsels clients on cutting-edge issues in the digital health space, including artificial intelligence, interoperability and big data initiatives. She can be reached at Christine.Moundas@ropesgray.com. Gideon Zvi Palte is an associate in the firm’s health care group. He advises health care providers, technology companies, insurance companies, health care organizations and investors on transactional and regulatory issues. He can be reached at Gideon.Palte@ropesgray.com. William Shefelman and Peyton Brooks are associates in the firm’s health care group and can be reached at William.Shefelman@ropesgray.com and Peyton.Brooks@ropesgray.com, respectively.
- Addition of Section 405.46 to Title 10 NYCRR (Hospital Cybersecurity Requirements), Notice of Revised Rulemaking, May 15, 2024, https://regs.health.ny.gov/sites/default/files/proposed-regulations/Hospital%20Cybersecurity%20Requirements_0.pdf.
- Christine Moundas & Gideon Zvi Palte, New York State Proposes New Cybersecurity Program and Incident Reporting Requirements for Hospitals, Ropes & Gray LLP (Nov. 28, 2023), https://www.ropesgray.com/en/insights/alerts/2023/11/new-york-state-proposes-new-cybersecurity-program-and-incident-reporting-requirements-for-hospitals.
- For more information on the Change Healthcare cyberattack, see Fran Faircloth et al., Change Healthcare Cyberattack: HHS OCR Publishes Early Guidance on Breach and UnitedHealth Group Provides Critical Status Update, Ropes & Gray LLP (April 30, 2024), https://www.ropesgray.com/en/insights/alerts/2024/04/change-healthcare-cyberattack-hhs-ocr-publishes-early-guidance-on-breach-and-unitedhealth-group.
- See Christine Moundas & Briana Fasone, NYSDFS Expands Requirements for Cybersecurity Governance, Safeguards and Incident Reporting for New York State Health Insurance Companies, Ropes & Gray LLP (Nov. 20, 2023), https://www.ropesgray.com/en/insights/alerts/2023/11/nysdfs-expands-requirements-for-cybersecurity-governance-safeguards-and-incident.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.