Chirico Rozsa, CPA
Audit Senior Manager | Healthcare
In 2023, the New York State Department of Financial Services promulgated new cybersecurity regulations. While primarily aimed at the banking and insurance industries, NYCRR Rule 500 has the potential to affect organizations outside of those industries.
Fast forward to November 2024 - the New York State Department of Health (NYSDOH) has followed suit and codified a similar rule for the healthcare industry
New York Department of Health Cybersecurity Regulations Overview
Why was this regulation proposed?
The healthcare industry is one of the most targeted industries when it comes to cybersecurity breaches due to the financially lucrative information that organizations maintain. Personally identifying information (PII) and protected health information (PHI), especially, are permanent in nature; there is little to no way for an individual to change it, unlike usernames and passwords.
Furthermore, there were previously no requirements specific to cybersecurity regarding the safeguarding of PII/PHI in New York. While the Health Insurance Portability and Accountability Act (HIPAA) provides broad requirements for the safeguarding of PHI, this regulation aims to supplement HIPAA and enhance already existing provisions.
Who do the New York Healthcare Cybersecurity Regulations affect?
The NYSDOH ruling only affects New York State healthcare entities pursuant to article 28 of the Public Health Law, regardless of size or location. Nursing home facilities and other residential health care facilities are exempt from this rule.
What are the key takeaways from the New York Healthcare Cybersecurity Regulations for hospitals?
While not a comprehensive list, there are several matters that hospitals need to consider. Hospitals are required to:
-
Develop comprehensive cybersecurity programs including a formal risk management process and written policies and procedures;
-
Report to the NYSDOH as promptly as possible, but no later than 72 hours, after determining that a cybersecurity event that materially affects operations has occurred;
-
Vet third-party providers to ensure that they comply with specific cybersecurity standards;
-
Maintain records of all cybersecurity incidents and audits (including actions taken for remediation of vulnerabilities) for a minimum of six years;
-
Appoint a Chief Information Security Officer (CISO) – The CISO may be an employee or a contracted third-party
When do the New York Healthcare Cybersecurity Regulations go into effect?
While hospitals have until October 2, 2025 to comply with the regulations, the mandate to report cybersecurity incidents to the NYSDOH is effective, immediately.
Healthcare Cybersecurity Industry Outlook in 2025
Cybersecurity has been a hot topic for several years, and it will continue to be for the foreseeable future. Despite security protocols put in place over the last decade at organizations worldwide, data breaches continue to persist at increasing frequency. ‘Cybersecurity fatigue’ is real, but it’s important to stay up to date with the latest regulations as well as the changes in technology. Consider the rise in generative artificial intelligence (AI) over the last few years. As it continues to become more mainstream, it will increasingly become a staple in organizations and drive positive outcomes. However, cyber criminals also possess this technology, and what could have previously been perpetrated in days or hours can now be done in minutes or seconds.
Furthermore, the risk of material adverse effects to an organization is not solely predicated on the security of PII/PHI. Consider the wide-reaching attack on Change Healthcare in early 2024; according to an American Hospital Association survey, 94% of hospitals had experienced some financial impact from the cyberattack with more than half describing it as “significant” or “serious”.
While many organizations have obtained cybersecurity insurance, the cost of getting back to normal operations tends to exceed policy limits. Instead of creating an infrastructure that is impenetrable, which can be cost-prohibitive, industry leaders are suggesting that there should be an increased focus on the ability to rapidly detect, respond, and recover.
How can Freed Maxick Help with Healthcare Cybersecurity?
With a robust team of risk advisory and healthcare consulting experts, Freed Maxick can help your hospital with a variety of service offerings including, but not limited to:
- Outsourced CISO
- Business continuity and disaster recovery plan preparation and review
- Vulnerability assessments
- Disaster recovery
- Third-party IT risk management
If you’d like to speak with someone in our healthcare or risk advisory group, please call Freed Maxick for a complimentary discussion.