New York earmarks $500m for proposed cybersecurity regulations

New York Governor Kathy Hochul proposed tighter cybersecurity regulations for hospitals on Monday, adding that hospitals can dip into the $500 million that’s been earmarked for compliance efforts.

The proposed regulations would require hospitals to establish cybersecurity programs to assess risks, establish defensive measures to protect information technology (IT) systems from “unauthorized access or other malicious acts,” and come up with clear response plans and written guidance to help employees respond to an attack, according to the governor’s office.

“Our interconnected world demands an interconnected defense against cyberattacks, leveraging every resource available, especially at hospitals,” Hochul said in a statement. “These new proposed regulations set forth a nation-leading blueprint to ensure New York state stands ready and resilient in the face of cyber threats.”

Hospitals would also be required to hire a chief information security officer to enforce, annually review, and update policies, according to the governor's office.

More than 180 hospitals across New York can apply for funding, which comes from the state’s FY 2024 budget. The $500 million expenditure aims to “spur investment in modernization of healthcare facilities as well as utilization of advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency,” according to the governor’s office.

Executives at Mount Sinai Health System and Northwell Health expressed positive sentiment for the regulations, noting that cybersecurity is an important issue affecting the sector.

“For large health systems like Northwell and the other large ones in the city, it’s probably not going to be burdensome because 95% of what they’re asking us to do, we do anyway,” said Mark Jarrett, senior health advisor at Northwell. “Smaller hospitals […] don’t have the people resources and the money resources to get this done easily.”

The Iroquois Healthcare Association, which represents 50+ member hospitals across 32 counties in upstate New York, echoed that concern.

“We are examining the regs to ensure that there is not any overlap or redundancy with standards at the federal level that could consume precious resources for our upstate hospital members,” according to the association, which also urged the Hochul administration “to provide technical compliance assistance and education to smaller and rural hospitals” upstate.

Those issues will likely be addressed during the public comment period, which is set to conclude on February 5, 2024, if the Public Health and Health Planning Council adopts the proposed regulations this week.

Still, Jarrett called the proposed regulations “a great first step.”

“Cybersecurity is a patient safety issue,” he said. “In that regard, attacking it this way, I think, is a good thing to do.”

Jarrett added that Northwell intends to tap into the $500 million to aid improvements to its IT system, which has yet to experience a ransomware attack that’s become increasingly common in the sector.

The Department of Health and Human Services’s Office for Civil Rights reported a 278% increase in ransomware attacks over the last four years, along with a 239% increase in “large breaches” that involved hacking.

Last month, two hospitals in New York state reported cybersecurity attacks that caused ambulance diversions, among other disturbances. On the system level, Chicago-based CommonSpirit reported a $160 million loss from a 2022 cyberattack that crippled the health system, which has 140+ hospitals.

“Putting in regulations is an excellent thing,” Jarrett said. “As a state that has large and small—urban, suburban, and rural—I think we present that mosaic of hospitals of healthcare that really requires a uniform approach.”