NYSDOH Issues Revised Proposed Hospital Cybersecurity Regulations
The New York State Department of Health (NYSDOH) has issued revised proposed regulations on hospital cybersecurity. NYSDOH revised the proposal based on the substantial number of public comments it received on this sweeping regulatory proposal. You can read the NYSDOH revised regulatory proposal on hospital cybersecurity below.
Department of Health
REVISED RULE MAKING
NO HEARING(S) SCHEDULED
Hospital Cybersecurity Requirements
I.D. No. HLT-49-23-00001-RP
PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following revised rule:
Proposed Action: Addition of section 405.46 to Title 10 NYCRR.
Statutory authority: Public Health Law, section 2803
Subject: Hospital Cybersecurity Requirements.
Purpose: To create cybersecurity program requirements at all article 28 regulated facilities.
Substance of revised rule (Full text is posted at the following State website: https://regs.health.ny.gov/regulations/proposed-rule-making): The proposed regulation would create a new section 405.46 of Title 10 (Health) of the Official Compilation of Codes, Rules and Regulations of the State of New York, to create cybersecurity requirements for all hospital facilities.
Section 405.46 (a) identifies all general hospitals in New York State as subject to the regulations.
Section 405.46 (b) defines certain terms and language for purposes of the section.
Section 405.46 (c) establishes the requirements for hospitals to have a cybersecurity program and defines protocols, procedures, and core functions of such program.
Section 405.46 (d) defines the cybersecurity policies that general hospitals will need to create and the topics that should be considered after a risk assessment has been performed.
Section 405.46 (e) requires general hospitals to designate a Chief Information Security Officer.
Section 405.46 (f) sets forth the requirements for testing and vulnerability of a general hospital’s cybersecurity program.
Section 405.46 (g) outlines the audit trails and records maintenance and retention requirements of a general hospital’s cybersecurity program.
Section 405.46 (h) sets forth the requirements for cybersecurity risk assessments and the considerations for policies and procedures relative to those risk assessments.
Section 405.46 (i) sets forth the requirements for cybersecurity personnel general hospitals must utilize.
Section 405.46 (j) sets forth the policies for third-party service providers of cybersecurity programs.
Section 405.46 (k) sets forth the requirements for identity and access management.
Section 405.46 (l) sets forth the requirements for training and monitoring of the cybersecurity program.
Section 405.46 (m) defines the requirements for an incident response plan in the event of a cybersecurity incident.
Section 405.46 (n) defines the reporting requirements for a general hospital during a cybersecurity incident.
Section 405.46 (o) refers to confidentiality and the applicability of State and federal statutes.
Section 405.46 (p) provides general hospitals one (1) year from the date of adoption to comply with the new regulatory requirements, except that general hospitals must immediately begin reporting to the Department as required by subdivision (n) of this section.
Section 405.46 (q) states that if any provisions of the section are found to be invalid, it shall not affect or impair the validity of other provisions of the section.
Revised rule compared with proposed rule: Substantial revisions were made in section 405.46(b)(5)(ii), (10), (c), (d), (e), (f), (g), (h), (i), (k), (n), (o) and (p).
Text of revised proposed rule and any required statements and analyses may be obtained from Katherine Ceroalo, DOH, Bureau of Program Counsel, Reg. Affairs Unit, Room 2438, ESP Tower Building, Albany, NY 12237, (518) 473-7488, email: regsqna@health.ny.gov
Data, views or arguments may be submitted to: Same as above.
Public comment will be received until: 45 days after publication of this notice.
Revised Regulatory Impact Statement
Statutory Authority: Public Health Law (PHL) § 2803(2)(a) authorizes the Public Health and Health Planning Council (PHHPC) to adopt and amend rules and regulations, subject to the approval of the Commissioner of Health (Commissioner), to implement PHL Article 28 and establish minimum standards for health care facilities, including general hospitals.
Legislative Objectives: The legislative objectives of PHL Article 28 include the protection of the health of the residents of the State by promoting the efficient provision and proper utilization of high-quality health services at a reasonable cost.
These regulations fulfill this legislative objective by ensuring that general hospitals within New York State implement minimum cybersecurity controls to safeguard protected health information (PHI) and personally identifying information (PII) from being publicly disclosed or used for identity theft, and ensure continuity of business and operations at general hospitals within the State.
Needs and Benefits: The healthcare industry is one of the most targeted communities for cybersecurity scams and breaches due to the significant amount of sensitive and financially lucrative information healthcare facilities collect. Currently in New York State there are no cybersecurity requirements for the safeguarding and security of patients’ protected health information (PHI) and personally identifying information (PII) and for ensuring continuity of business and operations at hospitals within the State. As a result, New Yorkers seeking medical care have no guaranteed minimum levels of protection of their information. As a result of this, there have been several high-profile cybersecurity breaches at facilities across the state which have resulted in not only a loss of patient financial and health data, but in some cases has also delayed care.
Additionally, cybersecurity events at hospitals can have significant, far-reaching, and long-term impacts to the provision of patient care and operation of the facility. Governor Hochul has been focusing on cybersecurity and ensuring that New Yorkers data stays safe no matter where they go. The promulgation and implementation of cybersecurity focused regulations supports this initiative. These regulations will ensure all hospitals develop, implement, and maintain minimum cybersecurity standards, including cybersecurity staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response, appropriate reporting protocols and records retention.
There will be multiple benefits to the adoption of these regulations. Given the significant differences in preparedness statewide against cybersecurity attacks, these regulations will ensure hospitals are required to maintain a minimum level of readiness to prepare for, respond to, and quickly recover from cybersecurity incidents.
Costs:
Costs to Regulated Parties: The costs associated with the implementation by regulated facilities will vary significantly due to the varying levels of cybersecurity programs and policies hospitals currently have in place. Some facilities may have mature monitoring, training and response programs, whereas others may not. Therefore, the costs could vary from tens of thousands to tens of millions. Hospitals will be allowed to sub-contract for cybersecurity services and this may reduce the overall cost of program implementation. It is estimated that effective cybersecurity programs can cost between $250,000 and $10 Million to develop and implement initially and anywhere from $50,000 - $2 Million or more to maintain on a yearly basis depending on the facility size. For small hospitals (of which there are 15 and are defined as less than 10 acute care or ICU beds), ongoing annual costs are estimated to be $50,000-$200,000. For medium sized hospitals (of which there are 62 and are defined as those with between 10 and 100 beds), ongoing costs are estimated to be $200,000-$500,000. For large hospitals (of which there are 114 and are defined as those with more than 100 beds), ongoing annual costs are estimated to be $2 million.
Costs to Local and State Governments: There are currently fifteen facilities which would be subject to these proposed regulations which are operated by local municipalities. As such, they would be subject to the same regulations as those operated by private entities. The estimated costs they would incur would depend on their size, as noted above.
Local Government Mandates: These regulations do impose a program, service, duty or other responsibility upon 4 separate city, county and State governments to the extent they do not already comply with the proposed regulations.
Paperwork: These regulations impose additional paperwork in the form of procedures, policies, guidelines, and reporting documents. These requirements are necessary to ensure the efficacy of a cybersecurity program and also provide accountability and transparency for hospitals.
Duplication: There is no duplication of this initiative in existing State law. The Heath Insurance Portability and Accountability Act (HIPAA) Security Rule does provide broad requirements for safeguarding PHI, but the regulations contained herein are intended to supplement HIPAA.
Alternatives: The alternative to the proposed regulation would be not enacting the cybersecurity requirements. This option is not appropriate due to the demonstrated need to protect PHI and PII and ensure continuity of business and operations at hospitals within the State. The Department in 2023 has responded to more than 1 cybersecurity incident per month, several of which have forced hospitals to go on diversion, stopped their billing procedures, and required facilities to operate on downtime procedures which can severely hamper the care delivery process. Over 225,000 patients had data possibly compromised in one breach alone.
In order to respond to comments received by facilities, the proposed regulations were modified to lengthen and simplify the compliance period in order to maximize the ability for facilities to come into compliance. Furthermore, the Department removed the requirement for a Chief Information Security Officer to be employed directly by the facility, and instead allow them to be a virtual or 3rd party vendor upon approval by the facilities’ governing body.
Federal Standards: Federal regulations governing protection of PHI and PII are contained within HIPAA, however they are overly vague and provide limited guidance on cybersecurity and the protection of PHI and PII.
Compliance Schedule: General hospitals will have one year from the effective date of the regulation to comply with the requirements set forth herein. However, subdivision (n) of the regulation, requiring general hospitals to notify the department as promptly as possible, but no later than 72 hours after determining a cybersecurity incident, as defined herein, has occurred, will be effective upon adoption in the State Register. The schedule as proposed was modified as a direct result of outreach to facilities by the Department who provided feedback on the difficulty in developing cybersecurity programs.
Revised Regulatory Flexibility Analysis
Effect of Rule: The proposed regulations will affect all general hospitals licensed pursuant to Article 28 of the Public Health Law, regardless of size or location. There are currently 226 hospitals in New York State, including Veteran’s Affairs facilities (which would not be affected by these proposed regulations). These regulations will not affect local governments unless they operate a general hospital. In NYS, there are 15 hospitals operated by municipalities; Lewis County Hospital in Lewis County, NY, Wyoming County Hospital in Wyoming County, 12 facilities operated by New York City Health and Hospitals Corporation, and Helen Hayes hospital operated by the State of New York.
Currently in New York State there are no cybersecurity requirements for the safeguarding and security of patients’ protected health information (PHI) and personally identifying information (PII) or to ensure continuity of business and operations at hospitals within the State. As a result, New Yorkers seeking medical care have no guaranteed minimum levels of protection of their information. As a result of this, there have been several high-profile cybersecurity breaches at facilities across the state which have resulted in not only a loss of patient financial and health data, but in some cases have also delayed care. Additionally, cybersecurity events at hospitals can have significant, far-reaching, and long-term impacts to the provision of patient care and operation of the facility. These regulations will ensure all hospitals develop, implement, and maintain minimum cybersecurity standards, including cybersecurity staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response and appropriate reporting protocols and records retention.
Compliance Requirements: The proposed regulations require that hospitals develop, implement and maintain minimum cybersecurity standards and programs, including information technology (IT) staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response, appropriate reporting protocols and records retention.
Professional Services: Depending on the current state of an existing cybersecurity program, a facility or system may need to contract with a third-party service provider for anything from staffing, network monitoring, incident response, or staff training. Facilities will be required to hire or appoint a Chief Information Security Officer (CISO). The draft regulations currently allow for the CISO to be a direct employee of the facility, or an employee of a virtual or third-party contractor upon consent and approval of the governing body. Facilities may also need to hire or contract additional information technology staff to ensure compliance with the new regulations. Additionally, the facilities may need to purchase information security programs or contract with third-party vendors to monitor for malicious network traffic, perform compliance testing with authorized users and ensure protected health information and personally identifying information is kept secure.
Compliance Costs: Given the variability in cybersecurity preparedness and current programs at facilities, the initial startup and ongoing costs could vary significantly. After initial conversations with facilities to gain a basic understanding of costs, it is estimated that effective cybersecurity programs can cost millions to develop and implement initially, and anywhere from $50,000-$2 million or more to maintain on a yearly basis depending on the facility size. For small hospitals (of which there are 15 and are defined as less than 10 acute care or ICU beds), ongoing annual costs are estimated to be $50,000-$200,000. For medium sized hospitals (of which there are 62 and are defined as those with between 10 and 100 beds), ongoing costs are estimated to be $200,000-$500,000. For large hospitals (of which there are 114 and are defined as those with more than 100 beds), ongoing annual costs are estimated to be $2 million.
Economic and Technological Feasibility: It is both economically and technologically feasible for hospitals to become compliant with the proposed regulations. There currently exists a significant amount of technology and software which can be licensed or purchased to provide network monitoring, notification, staff training and exercises and multifactor or risk-based authentication, among others. Economically, it will be easier for hospitals which are part of large healthcare systems or located in more urban areas to comply with these regulations than it may be for smaller or more rural facilities. This is due to the fact that the larger facilities and systems may already have aspects of the regulations already functioning as part of a mature cybersecurity program, or may have access to more capital and resources than smaller, more rural or standalone facilities. While several facilities voiced concerns related to the cost of implementation, the consequences of what can occur as a result of a cyber-attack far outweigh those costs. Days or weeks of downtime with an inability to bill for services can cost tens of millions of dollars (at a minimum), as well as the unknown cost of lost productivity, cancellation of elective surgeries, purchase of new computers, etc., can well exceed the yearly maintenance program costs.
Minimizing Adverse Impact: The Department of Health conducted several rounds of outreach to affected healthcare facilities and healthcare associations as part of the regulatory drafting process, to understand what makes a successful cybersecurity program, what things should be avoided or be flexible, and how the Department can work with them to enhance preparedness in New York State. As a result of those discussions, the Department took significant steps to ensure that no specific references to technology, programs or software were included into the regulations. In this way, it allows for facilities to become compliant with the regulations however they may be able to, without the regulation becoming too prescriptive, or requiring use of overly expensive or specific software. These regulations establish truly baseline, general requirements that allow maximum flexibility to healthcare facilities to comply based on their operations. While other approaches to cybersecurity programs were considered, as required under SAPA § 202- b(1), there are unfortunately no alternatives to cybersecurity, as the health and welfare of patients both current and former at a facility can be adversely affected by a network breach. Facilities will have one year from implementation to come into compliance with the regulations except for incident reporting. The compliance period as proposed will not only maximize the ability for facilities to come into compliance, but was modified as a result of feedback received from those facilities. While these regulations will result in some cost to facilities, the Department will be taking action to mitigate these impacts. In January of this year, the Department released Statewide IV and Statewide V funding totaling $650 million to assist with implementation of, and compliance with, the regulatory requirements. This funding was appropriated in the SFY 24 budget with the intention of supporting facilities’ technological needs, including for cybersecurity purposes.
Small Business and Local Government Participation: During the drafting process, the Department conducted several rounds of outreach to over 25 different hospitals and hospital/healthcare associations to understand the current state of the industry, cybersecurity program best practices and areas to avoid.
Parties the Department reached out to:
University of Rochester MC
Kaleida Health
Northwell Health
NY Presbyterian
Elizabethtown Hospital
Arnot Ogden MC
Geneva General Hospital
Soldiers and Sailors Memorial Hospital
Rochester General Hospital
Unity Hospital
Wyoming County Hospital
Richmond University Medical Center
Healthcare Association of NYS
Iroquois Healthcare Association
Healthcare Association of Central and Western NY
Suburban Hospital Alliance of NYS
Greater NY Healthcare Association
As there are facilities run by city, county and state municipalities, a cross section of them was invited to participate in the roundtable discussion related to cybersecurity programs and proposed regulations. The Department has some direct communication methods through the Health Commerce system which will be utilized to reach out to C Suite executives at each facility after the regulations are publicly posted and available for comment.
Revised Rural Area Flexibility Analysis
Types and Estimated Numbers of Rural Areas: Rural areas as defined by Executive Law § 418(7) are counties with a population less than 200,000 and towns with a population density less than 150 people per square mile. For the purposes of this regulation, there are 44 counties with a population of less than 200,000, which have a total of 76 regulated facilities. The proposed rule will apply statewide to all general hospitals regulated under Article 28 of the Public Health Law.
Reporting, Recordkeeping and Other Compliance Requirements; and Professional Services:
1. Recordkeeping - Article 28 facilities will be required to develop cybersecurity policies, protocols and procedures within one year of the adoption of the proposed regulations. Facilities will be required to maintain records of program compliance by employees, security breaches by outside entities (both successful and unsuccessful), and other program documentation for at least 6 years.
2. Reporting: Article 28 facilities will be required to report any cybersecurity incidents, as defined in the proposed regulation, as promptly as possible, but no later than 72 hours after determining a cybersecurity incident has occurred. Facilities will also be required to provide a report to the Department upon request of all cybersecurity incidents within the previous reporting period.
3. Professional services - Facilities will be required to hire or appoint a Chief Information Security Officer (CISO). The draft regulations currently allow for the CISO to be a direct employee of the facility, or an employee of a virtual or third-party contractor upon consent and approval of the governing body. Facilities may also need to hire or contract additional information technology staff to ensure compliance with the new regulations. Additionally, the facilities may need to purchase information security programs or contract with third-party vendors to monitor for malicious network traffic, perform compliance testing with authorized users and ensure protected health information, personally identifying information, and nonpublic information is kept secure.
Costs: The costs for this program will vary depending on the level of preparedness of each facility. For less mature programs which require significant development, the initial funding required could range from $250,000 to $10 million. For small hospitals (of which there are 15 and are defined as less than 10 acute care or ICU beds), ongoing annual costs are estimated to be $50,000-$200,000. For medium sized hospitals (of which there are 62 and are defined as those with between 10 and 100 beds), ongoing costs are estimated to be $200,000-$500,000. For large hospitals (of which there are 114 and are defined as those with more than 100 beds), ongoing annual costs are estimated to be $2 million. Facilities may be able to purchase equipment or services from State Contract lists where appropriate and applicable. Facilities will also be able to contract with appropriate third-party vendors or contractors to help ensure compliance with the proposed regulations.
Minimizing Adverse Impact: The Department has included flexibility within the regulations for facilities to ensure they are compliant with the requirements, including allowing for third-party or vendor contractors to complete compliance reporting and measures on behalf of them. Additionally, facilities will have one year from the adoption of the proposed regulations to implement the requirements and ensure compliance. While these regulations will result in some cost to facilities, the Department will be taking action to mitigate these impacts. In January of this year, the Department released Statewide IV and Statewide V funding totaling $650 million to assist with implementation of, and compliance with, the regulatory requirements. This funding was appropriated in the SFY 24 budget with the intention of supporting facilities’ technological needs, including for cybersecurity purposes.
Rural Area Participation: In consideration of SAPA § 202-bb(7), the Department conducted multiple rounds of outreach with facilities of a diversity of sizes, including those located in rural areas such as Ellenville Regional Hospital and Arnot Ogden Medical Center. This outreach consisted of one-on-one conference calls with specific facilities, which occurred June 12-22, 2023, as well as a roundtable in August 2023 where over 25 facilities, healthcare associations and Department of Health staff were invited to discuss the current state of cybersecurity programs, best practices and required elements of a good cybersecurity program. While many facilities agreed about the need for mature cybersecurity program amid increasing cybersecurity threats, many voiced concerns about the costs of these programs. The Department listened to all of the feedback provided and modified some of the language in the proposed regulations. For example, the Department simplified and lengthened the compliance period to allow facilities the maximum amount of time to be in compliance.
Revised Job Impact Statement
Changes made to the last published rule do not necessitate revision to the previously published JIS.
Assessment of Public Comment
The New York State Department of Health (Department) received 13 comments regarding the proposed addition of a new section 405.46 to Title 10 of the New York Codes, Rules and Regulations (NYCRR) pertaining to hospital cybersecurity requirements. These comments and the Department’s responses are summarized below.
Comment: All commenters recognized the significance of the proposed regulations and expressed a general sense of support for cybersecurity standards for general hospitals.
Response: The department is grateful for the overwhelming number of positive comments received, and thanks all stakeholders for their valuable feedback. The Department remains committed to collaborating with all stakeholders and incorporating their feedback into future rulemaking. No changes to the proposed rulemaking were necessary as a result of these comments.
Comment: Five commenters requested clarification of the definition of ‘‘non-public information.’’ These commenters stated that the definition in the proposed regulation goes beyond the scope of Protected Health Information (PHI), as defined by the Health Insurance Portability and Accountability Act (HIPAA). Commenters highlighted that this could impose an additional burden on healthcare providers.
Response: The proposed regulation aims to enhance the overall cybersecurity resilience of hospitals in New York and preparedness statewide against cybersecurity attacks. The scope of the regulations extends beyond the protection of PHI data required by HIPAA to cover the systems that support continuity of patient care across the hospital ecosystem. Additionally, the New York State Department of Financial Services’ (DFS) Cybersecurity Regulation, Title 23 NYCRR Part 500, utilizes the term “Non-public Information” and keeping terms consistent between the two regulations will allow the Department and State to better address and respond to cybersecurity incidents more effectively. No changes to the proposed regulation were made as a result of these comments.
Comment: One commentor recommended aligning the definition of ‘‘cybersecurity incident’’ with existing definitions to avoid creating new, potentially conflicting standards.
Response: The definition of “cybersecurity incident” in the proposed regulation is generally aligned with the industry standard and tailored to the scope of this regulation.
Comment: Three commenters expressed their support for the requirement that hospitals have a Chief Information Security Officer (CISO). One commenter sought clarification on whether a CISO is needed for each hospital or at the enterprise level and another commenter requested clarification on what constitutes a hospital’s ‘‘governing body.’’
Response: The proposed regulation requires hospitals to designate a CISO who will be responsible for developing and enforcing the hospital’s cybersecurity plans and policies and overseeing the implementation of the hospital cybersecurity program. Each hospital’s governing body (i.e., the organization’s leadership and decision-making arm, as defined under 10 NYCRR 405.2), based on its risk assessment and organizational structure, must determine whether a single CISO can handle multiple hospitals within the organization’s network or if separate CISOs are needed for each hospital. No changes to the proposed regulation were necessary as a result of these comments.
Comment: One commenter recommended that testing and vulnerability assessments, as required by the proposed regulation, might be best performed by external, independent organizations experienced in penetration testing, and suggested that facilities may have a preference for leveraging external, over internal, expertise.
Response: The proposed regulations allow penetration testing of a hospital’s information systems to be performed by a qualified internal or external party. The testing target, type, cadence, and testing organization selection must be based on the hospital risk assessment. Hospitals are expected to use due diligence based on their size, complexity, resources, and security posture when determining how best to perform testing and vulnerability assessments. No changes to the proposed regulation are necessary as a result of this comment.
Comment: Two commenters suggested including a vulnerability disclosure program and bug bounty program within the regulation to ensure hospitals receive and respond to vulnerability information from all available sources.
Response: The Department will take these recommendations under advisement and may consider these programs in future rule making. At this time, no changes to the proposed rule have been made as a result of these comments.
Comments: Three commenters voiced concern about cost, resource constraints, and the feasibility of maintaining documentation logs for cybersecurity incidents for six years. One commenter recommended clarifying that hospitals are not required to retain all cybersecurity incident logs, as this requirement may introduce financial burden for hospitals. Another commenter mentioned potential privacy issues related to the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) with maintaining such logs.
Response: The Department wanted to align as much as possible with other retention requirements such as HIPAA and New York State patient requirements. Additionally, the proposed regulation only requires hospitals to retain logs from cybersecurity incidents that had a material adverse impact on the hospital, and therefore were required to be reported to the Department. As such, no changes to the proposed regulation were made as a result of these comments.
Comments: The Department received several comments regarding the need for risk assessment and building a cybersecurity program based on it. While many commenters generally supported a comprehensive cybersecurity program based on risk assessments, five commenters suggested that the Department consider redundancies and increased scope and align with other requirements, such as HIPAA. On the other hand, a few commenters highlighted the necessity of having continuous risk assessments, having a third-party risk management program, allocating resources and developing security programs based on the risk assessment.
Response: The cybersecurity programs required by the proposed regulation are meant to supplement HIPAA. Additionally, the proposed regulation aims to increase the overall cyber resilience of NYS hospitals, protect all ‘‘non-public’’ information, and respond effectively to cybersecurity incidents. The Department also recognizes that the risk assessment methodologies might vary based on each hospital’s size, resources, and cybersecurity maturity. Therefore, the regulation does not specify detailed requirements but instead provides general requirements for risk assessment and management. As a result of these comments, the revised rulemaking removes references to the regulations supplementing HIPAA that were previously found in subdivision (c)(2) of section 405.46 of the proposed regulation.
Comments: One commenter welcomed the prioritization of multifactor authentication (MFA), advocating for the final rule to be technology agnostic and flexible, allowing hospitals to choose suitable authentication methods based on their unique needs, in alignment with standards such as NIST Digital Identity Guideline.
Response: The proposed regulation aligns with industry standards, requiring MFA. However, it allows the hospital CISO to approve appropriate authentication mechanisms and compensating controls. No changes were made to the proposed regulation as a result of these comments.
Comment: Ten stakeholders expressed concerns about the proposed requirement to report cybersecurity incidents within two-hours after having a material adverse impact on the hospital. Commenters believed that incident response plans need to be practical and aligned with the hospital’s capacity to assess and respond to incidents before reporting, as doing so would allow for more accurate and comprehensive incident reporting and enable hospitals to prioritize effective response and recovery actions. Most commenters recommended extending the incident reporting timeline to 72 hours.
Response: The intent of the two-hour notification requirement was to allow the Department to assess risk and take appropriate incident response actions for NYS hosted and connected systems and services to prevent an intrusion to integrated networks. However, to bring the regulations into alignment with industry standards, the Department is revising the regulation to require reporting as promptly as possible, but no later than 72 hours after determining that a cybersecurity incident, as defined, has occurred.
Comment: Many of the commenters suggested that managing third party risk is complex and potentially non-viable from a contractual/ procurement perspective. Commenters recommended enhancing guidelines for third party risk assessments and ensuring that there is continuous monitoring.
Response: The Department does not agree with specifying detailed requirements in the regulation, as assessing third party risk will vary based on organization size and the nature of engagement with specific third-party service providers. However, the Department anticipates issuing future guidance and will consider making references to current industry best practices in potential future rulemaking. No changes to the proposed regulation were made as a result of these comments.
Comment: A commenter suggested amending the regulation to include the frequency and cadence on security testing of externally developed applications and third-party risk management.
Response: Pursuant to the proposed regulations, the third-party risk assessment and testing target, type, and cadence must be based on the hospitals risk assessment. Hospitals are expected to perform their due care and due diligence based on their size, resource, and security posture. No changes to the proposed regulation were made as a result of this comment.
Comment: Five commenters emphasized the importance of the state’s regulations aligning with existing federal standards to avoid duplication of compliance burdens. Federal standards mentioned were HIPAA, NIST cybersecurity framework, HICP 405(d) and pending HHS proposed cybersecurity regulations. Commenters recommended revising the proposed regulation to ensure that they’re consistent with federal guidelines, so they will not burden hospitals as they work to comply. Two large private cybersecurity vendors also commented that there is a gap between the need to protect ‘identity’ as opposed to ‘authentication’ which is an aspect of identity.
Response: As a result of these comments, the Department took a closer look at the proposed regulation to ensure the cybersecurity requirements were in alignment with state and federal policies and guidelines as well as with industry best practices. In doing so, the Department recognized that NIST recently published NIST Cybersecurity Framework 2.0 and HHS also introduced HPH Cybersecurity Performance Goals. Therefore, the Department is proposing revisions to subdivision (c) and (k) of section 405.46 of the proposed rulemaking.
Comments: One commenter recommended including identity and access management in the final regulation.
Response: The Department updated the title of subdivision (k) of section 405.46 of the proposed regulation from “Risk Based Authentication” title to “Identity and Access Management” and include additional controls recognized by the industry in the regulation.
Comment: Several commenters expressed concern over cost, staffing and other resource constraints which may impact the ability of hospitals to implement the regulatory requirements.
Response: The Department recognizes the financial impact that these regulations will have on facilities, but believes that such impact will ultimately be outweighed by the additional levels of security these regulations will impart on hospitals and the healthcare system in New York. Additionally, NYS recently announced grant opportunities totaling $500 million to help support hospital cybersecurity. There is an additional $150 million in Statewide IV and $500 million in the new Statewide V that will both be released this year, to assist with implementation of the regulatory requirements. This $650 million combined Statewide funding is available for health information technology, telehealth, and cyber-related efforts. No amendments were made to the proposed regulation as a result of these comments.
Comments: Some comments related to introducing technology products, services, solutions in the cybersecurity space that could be used to support hospitals.
Response: These comments are outside of the proposed rulemaking.
Comment: One commenter requested delaying the effective date of the regulations until after the Department of Health & Human Services (HHS) finalizes its changes, suggesting a need for compliance periods that consider upcoming federal standards and hospitals’ readiness to meet new requirements.
Response: The Department is expecting modifications in the federal regulations and additional controls from HHS’ HPH Cybersecurity Performance Goals (CPGs). The Department will be closely monitoring the changes in the federal and industry standards and will incorporate them in future rule-making processes. No changes to the proposed regulation were necessary as a result of this comment.
Comment: One commentor suggested that the effective dates of different regulatory requirements should be stratified to account for the varying levels of familiarity and preparedness among hospitals, particularly those that are under-resourced.
Response: The Department understands that the adoption and implementation of these requirements may differ depending on the hospital’s current security posture, size, and organizational structure. However, all these requirements are in line with the leading cybersecurity best practices, and the Department expects that hospitals will implement these controls within the specified timeframe. The Department will continue to have discussions with all stakeholders and consider amendments to the regulation in future rulemaking if necessary.