Hospital cybersecurity regulations are coming in hot. The new year is poised to bring fresh cybersecurity mandates and hospital regulations. A devastating string of attacks taking down operations at numerous medical facilities across New York state has set a precedent experts expect to spread across the nation, with regulators across the country insisting that “HIPAA compliance is not enough.” When you look at the stats, it isn’t surprising.
What’s behind the move to hospital cybersecurity regulations?
89% of healthcare technology leaders surveyed experienced a cyberattack in the past year, combatting an average of 43 annual attacks with resulting costs and damages spiking into the mid-seven figures. The costs weren’t limited to technology infrastructure either. Instead, assuring the impact on patient care was resolved generally cost over half a million at $644,350.
So, where do hospital cybersecurity regulations come into play? In addition to direct expenses and indirect costs—including breaches of PHI resulting in heavy HIPPA and regulatory fines and suits—cybersecurity breaches impact patient care.
Hospital cybersecurity regulations protect quality of care.
Healthcare cybersecurity breaches have a heavy impact on patient communities. These cybersecurity events usually increase the length of hospital stays while resulting in a lower level of patient care, and even impacting mortality rates—based on the attack type.
More than half of healthcare cybersecurity breaches include compromise to hospital supply chains. When healthcare supply chains are attacked, the implications can be dire. Healthcare cybersecurity breaches disrupt patient care for 70% of organizations with supply-chain-security compromises having devastating results on length of stay, patient condition, and mortality rates.
Meanwhile, with vulnerable cloud, mobile, network, big data, and IoT technologies, patient safety risks have jumped by 70%. Some healthcare organizations have to close to 30K network-connected devices on average connected to the cloud, including infusion pumps and pacemakers that can be impacted in the event of a healthcare cybersecurity breach.
Ransomware healthcare cybersecurity attacks, (think phishing scams leading to Business Email Compromise) drive the most dangerous patient outcomes based on safety and level of care. 64% of healthcare organizations report poor testing outcomes and procedure delays. Increasing patient stays across the board put pressure on already limited resources.
What’s coming next for healthcare cybersecurity regulations?
For now, New York regulators are issuing cybersecurity regulations for hospitals. These require facilities to develop and test incident response plans, assess cybersecurity risks, and install security technology staples like multi-factor authentication (MFA) while also developing secure software and hardware infrastructure approaches.
Governor Kathy Hochul announced that new annual state budget includes $500M in funding for healthcare facilities to upgrade their technology systems in compliance with the latest, proposed regulations.
“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” the Governor said. “These proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”
What are the technical requirements behind the proposed regulations?
The proposed regulations focus on bolstering hospital network and system protections critical to patient care, as a complement to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule on protecting patient data and health records. Under these proposed provisions, hospitals will be legally required to create and document a cybersecurity program with proven steps to assess internal and external cybersecurity risks. These healthcare cybersecurity programs include investing in defensive techniques and infrastructure and implementing safety measures to protect information systems from unauthorized access or other malicious acts. The goal of these regulations and the allocated state-backed funding is to take all action possible to prevent healthcare cybersecurity breaches from ever happening.
Under the new requirements, New York hospitals must develop cybersecurity incident response plans, including alerting relevant third parties. Hospitals will be required to frequently test response plans to guarantee uninterrupted patient care while critical systems are restored back to normal operations.
The proposed regulations require each hospital’s cybersecurity program to include documented procedures, guidelines, and standards to develop secure practices for in-house applications intended for facility use. Hospitals are required to establish policies and procedures for actively evaluating, assessing, and testing the security of externally developed applications leveraged.
These regulations would also require hospitals to establish a Chief Information Security Officer role, if one does not exist, to enforce strict adherence to the new policies and annually review and revise them as necessary. The proposed regulations mandate multi-factor authentication to access the hospital’s internal networks from an external network.
How can you act ahead of new and oncoming healthcare cybersecurity regulations?
1. Enforce MFA (Multi-Factor Authentication) across your organization. MFA will help protect your healthcare organization from business email compromises that can spur the most dramatic ransomware cybersecurity events with the most fallout.
Note: Your organization must have MFA and other password management solutions to qualify for cybersecurity insurance, a must in our volatile, digital age.
2. Hire a full-time or Virtual CIO. Even without the official requirements, every organization needs a chief information officer to ensure they are leveraging the right security technologies approaches. If your business isn’t ready for a full-time CIO, a Virtual CIO for hire may fulfill the requirement and prepare you for oncoming cybersecurity regulations and challenges.
3. Document cybersecurity protocols and response plans. While New York state’s regulations call for documented cybersecurity planning, training, and responses, many cybersecurity insurance providers do too. Robust security planning can get complicated, it involves the steps necessary to prevent and respond to cybersecurity events, across layers of technology and third-party partners and contacts.
Let’s get started.
At Fruth Group, our cybersecurity experts are fluent in HIPAA compliance and experienced in building cybersecurity strategies and infrastructure for hospital and healthcare environments. We’re ready to help. Call 877-272-0946 or complete our contact form for a quick call back.