NY governor wants new cybersecurity rules for hospitals after multiple attacks

New York’s governor has proposed several new cybersecurity rules for the state’s hospitals following several attacks that limited operations at healthcare facilities for weeks this year.

Gov. Kathy Hochul wants to force hospitals to establish cybersecurity programs, assess cybersecurity risks, use defensive techniques and infrastructure, and implement protection measures for information systems.

Hospitals would have to create a chief information security officer role if they do not have one already.

Facilities would need to develop incident response plans and outline how they plan to notify the appropriate government bodies in the event of an attack. Hochul’s proposal includes measures to require hospitals to run tests of their response plans that ensure patient care can continue while systems are being restored.

"Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals," Hochul said Monday. "These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

The proposals, which were first reported by the Wall Street Journal, also would mandate that hospitals sketch out secure practices for the use of software applications. There are other proposals related to multifactor authentication and other cybersecurity topics.

Hochul noted that her budget for the next fiscal year includes $500 million in funding that hospitals across the state can use to upgrade their technology systems in line with the proposed regulations. Applications for the funding will be rolled out soon, the governor’s office said.

The proposed rules will now go before the Public Health and Health Planning Council this week and will be published to the State Register on December 6, giving stakeholders 60 days to comment.

If approved, the rules will come into effect one year after they are finalized.

“These draft regulations build upon the statewide cybersecurity strategy Governor Hochul released in August. As hospitals face growing cyber threats, it is imperative that we enable them to defend against attacks and these draft regulations and financial commitment do just that,” said New York State Chief Cyber Officer Colin Ahern.

“We look forward to receiving public feedback over the next 60 days before finalizing the regulations to support improved cyber defenses and resilience for hospitals statewide."

The governor’s office noted that attacks on healthcare facilities have led to patient diversions, procedure cancellations, limits on critical services and the use of paper records.

Three weeks ago, a ransomware attack on a hospital network in Westchester forced at least three hospitals to turn ambulances away and left patients scrambling for answers for a week.

Two facilities in upstate New York — Carthage Area Hospital and Claxton-Hepburn Medical Center — spent weeks struggling with a ransomware attack eventually claimed by the LockBit ransomware group.

In that situation, ambulances were also diverted and appointments were canceled.

The state’s attorney general recently began issuing stiff fines to companies that failed to protect patients in the aftermath of ransomware attack, forcing one of the nation’s largest private radiology companies to pay $450,000 after a 2021 ransomware attack.

Hochul has made cybersecurity a pillar of her work since taking office, recently announcing changes to state cybersecurity rules that force regulated entities to report ransomware payments and take other measures to secure customer data.