Cybersecurity Legislation in Healthcare: New York's Pivotal Proposal

The need for strict cybersecurity measures has increased in the aftermath of persistent cyberattacks on vital infrastructures, such as hospitals. The recent proposal by New York Governor Kathy Hochul signifies a pivotal shift in addressing cyber threats in healthcare. The proposal, aimed at mandating specific cyber defenses for health systems, sets the stage for the state to lead the charge in bolstering cybersecurity standards. 


The necessity for this legislation arises from the escalating frequency and severity of cyber-attacks disrupting healthcare operations. These attacks are no longer just privacy concerns but substantial threats to patient safety. Instances of hospitals diverting patients, rescheduling surgeries, and temporarily shutting down clinics due to cyber incidents have accentuated the urgency of robust cybersecurity protocols. 


New York's proposal outlines several key requirements for hospitals. These include the establishment of comprehensive cyber defense strategies, designation of chief information security officers, conduct of risk assessments, and implementation of protocols like multifactor authentication and audit trails to promptly detect and respond to cyber events. The proposal emphasizes securing systems that support normal operations, a crucial step in safeguarding against potential disruptions caused by cyber intrusions. 


However, while these measures are essential, implementing them universally poses challenges. Many healthcare facilities, especially smaller or under-resourced providers, may struggle to meet these mandated standards due to limited financial resources and technical expertise. The allocation of $500 million from the state's budget toward grants to assist hospitals in meeting these standards is a promising step, but more comprehensive support may be necessary to ensure widespread compliance. 


Furthermore, the evolving nature of cyber threats introduces complexities. Traditionally, hospitals focused on safeguarding patient data to comply with privacy regulations, inadvertently leaving other systems vulnerable. The interconnectedness of hospital infrastructure means that cyber attackers can exploit seemingly unrelated systems like HVAC or elevators to disrupt critical healthcare services. As highlighted by Ty Greenhalgh of Claroty, the threat extends beyond ransomware attacks to potentially compromising essential hospital functionalities. 


This proposal also echoes a larger trend at the federal level, with the White House targeting minimum cyber standards for critical infrastructure, including healthcare. The possibility of tying minimum cybersecurity requirements to federal health program payments indicates a broader push to enforce cybersecurity standards across the healthcare sector. 

Looking ahead, New York officials are considering penalties for noncompliance while welcoming public feedback until February. If enacted, hospitals would have a year to meet these cybersecurity standards. 


As cyber threats evolve and intensify, proactive measures are imperative to fortify the healthcare industry against potential disruptions. While mandates for minimum cybersecurity standards represent a crucial step forward, a collaborative effort between governments, healthcare institutions, and cybersecurity experts is essential to navigate the complexities and ensure comprehensive protection of critical healthcare infrastructure. 


The proposal in New York sets a precedent for cybersecurity legislation in healthcare, signaling a significant shift toward prioritizing cybersecurity as an integral component of patient care and overall system resilience. 


Michael Markulec

technology executive, cyber-security guru, politician, rugby player, deadhead, brewer, former army officer, crossfitter, and hard-drinking calypso poet.