New York's hospital cybersecurity rules could spur similar mandates

The idea of mandating that hospitals meet minimum cybersecurity standards is gaining traction amid scrutiny of mounting attacks that have knocked health systems offline for weeks and upended patient care.

Driving the news: New York Gov. Kathy Hochul this week proposed the state become the first to require health systems to adopt certain cyber defenses, including preparation of response plans for a potential attack.

• She also proposed redirecting $500 million from the state's fiscal 2024 budget toward grants to help hospitals get up to speed.
• "New Yorkers, and Americans broadly speaking, expect their governments to ensure that their critical infrastructure in which they rely is materially free from threats," New York's chief cyber officer, Colin Ahern, told Axios.

The big picture: The proposal reflects a broader shift in how cyber attacks in health care are viewed as a patient safety issue, rather than a privacy issue, as they increasingly disrupt how and where health systems provide care.

• Attacks in several cases have forced ambulances to travel longer distances to other regional hospitals, while surgeries were rescheduled and clinics were temporarily shuttered.
• In New York, two hospitals last month had to divert patients to other hospitals due to cyber attacks.

Between the lines: Experts tell Axios they expect New York's proposal is likely the first of more cyber mandates to come for hospitals.

• "We understand that the mandates are coming," said Mari Savickis, vice president of public policy for the College of Healthcare Information Management Executives.
• "What we've said is that we just really need some support, especially for those under-resourced providers," she said.

At the federal level, the White House has said it is targeting minimum cyber standards for critical infrastructure, including hospitals.

• Health and Human Services Deputy Secretary Andrea Palm said the agency isn't ruling out the idea of tying minimum cybersecurity requirements to payments under federal health programs, per Politico.

Details: New York's proposal, part of a statewide initiative announced earlier this year to shore up cyber defenses, calls for each hospital to "securely maintain systems that are designed to support normal operations."

• All hospitals would need to have a cyber security program, designate a chief information security officer and perform risk assessments.

• The proposed rules also call for establishing protocols like multifactor authentication, as well as audit trails to help detect and quickly respond to a cyber event.
• "It's focused on not only roles but certain technology solutions that should be implemented at a minimum from a table stakes perspective that have been proven to really enforce a strong information security program," said Mike Parisi of cybersecurity compliance firm Schellman.
• Patient privacy regulations have pushed hospitals with limited IT budgets to focus on protecting patient data from hackers, leaving other systems vulnerable, said Ty Greenhalgh, health care industry principal at cybersecurity firm Claroty.
• For example: "I can hack your hospital's HVAC and your elevator system in the summertime and you will immediately go into emergency triage ... It's not just about ransomware anymore."

What's next: New York officials said they're still weighing penalties for noncompliance as they collect public comment on the proposal until February.

• If the requirements ultimately go into effect, hospitals would have one year to come into compliance.