New York Governor Kathy Hochul has introduced a series of cybersecurity regulations aimed at enhancing the resilience of the state's hospitals in the face of escalating cyber threats. These proposals come in response to a spate of cyber incidents in 2023 that severely disrupted healthcare operations.
Under Governor Hochul's proposed rules, hospitals across the state would be required to establish robust cybersecurity programs. This would involve conducting comprehensive assessments of cybersecurity risks, implementing defensive strategies and infrastructure, and putting protective measures in place for their information systems. Hospitals lacking a designated Chief Information Security Officer (CISO) would need to create this role to effectively oversee cybersecurity efforts.
"In our interconnected world, it is true we need interconnected defenses. A crucial aspect is a focus on collective defense and software supply chain security in healthcare," says Emily Phelps, Director at Cyware. She highlights the mandate for a CISO role and the enforcement of Multi-Factor Authentication (MFA) as key steps to bolster healthcare system defenses.
Phelps emphasizes the need for shared knowledge and resources to strengthen cybersecurity across the industry, stating, "Leveraging healthcare ISACs and trusted intelligence sharing help these entities become more proactive."
Phelps also underscores the importance of evaluating and testing third-party security, particularly in securing the software supply chain. With healthcare organizations relying on various software solutions and third-party services, the proposal's focus on third-party security policy establishment and regular testing is a proactive measure to mitigate supply chain risks.
Paul Valente, CEO & Co-Founder of VISO Trust, expressed concern over the lack of cybersecurity funding in the healthcare sector, which has made it a prime target for cybercriminals. "Ransomware has become endemic with healthcare organizations, more frequently leaving them with no choice but to pay the ransom, rather than risk patient safety," he warns. Valente also noted the significant challenges posed by third-party risks due to the complex relationships healthcare institutions have with supply chain vendors and the ever-evolving nature of cyber threats.
Governor Hochul's proposal aligns with her commitment to strengthening cybersecurity within the state. Her budget for the upcoming fiscal year includes $500 million in funding that hospitals can use to upgrade their technology systems in accordance with the proposed regulations. Applications for this funding will be announced soon, according to the governor's office.
The proposed regulations will undergo review by the Public Health and Health Planning Council this week and will be published in the State Register on December 6. Stakeholders will have a 60-day window to provide feedback on the proposed rules. If approved, the regulations will take effect one year after finalization.
These regulations are part of a broader statewide cybersecurity strategy Governor Hochul unveiled in August, reflecting the imperative to enable hospitals to defend against an increasing number of cyber threats effectively. The healthcare sector has experienced significant disruptions due to cyberattacks, including patient diversions, procedure cancellations, and reliance on paper records. Recent ransomware attacks on hospitals have underscored the urgency of enhancing cybersecurity measures in the healthcare industry.