Jan 4
2024
Are Hochul’s Cybersecurity Regulations Enough For the Future of New York Healthcare?
By Todd Moore, vice president of data security products, Thales.
On Nov, 13, 2023, New York Governor Kathy Hochul proposed a new set of cybersecurity rules for state hospitals. This includes a mandate that hospitals must develop their own programs and response plans and appoint chief information security officers (CISOs). The regulations are part of a statewide cyber strategy that Hochul launched in August to improve cyber resilience as attacks continue to rise.
The strategy is built on three central principles: Preparedness, Resilience, and Unification. It is also New York’s first roadmap to mitigate cyberthreats and attacks and has a long road ahead to combat the growing phishing and ransomware attacks across the state.
Are the regulations up to the task? Let’s take a look.
Preparedness
Tackling multiple cybersecurity threats in recent years may have weathered healthcare’s capacity for self-defense. But the industry is still more vulnerable than most. According to the Thales 2023 Healthcare and Life Sciences (HLS) Report, 71% of healthcare organizations have cited an increase in ransomware attacks this year, far higher compared to other industries at 49%. The higher frequency is mainly due to the vast personal data they store (medical records, PII, etc.) that present a goldmine for identity theft.
Under Hochul’s proposal, preparedness will involve providing advice and guidance to ensure New Yorkers are empowered to take charge of their own cybersecurity. Healthcare facilities will have to develop their own cyber programs and incident response plans, with written policies, procedures, and regular risk and response assessment tests in place.
From a glance, these give facilities a good foundation on which to establish their cybersecurity strategies, particularly for the less tech-savvy ones. But while the regulations are a good starting point and may develop expansively, right now we’ve only gotten high-level objectives. There isn’t a clear direction for managing crucial resources in use, such as the cloud, which could undermine Hochul’s efforts to foster resilience and unification.
Resilience
We live in a multi-cloud reality. Nearly 90% of healthcare respondents deploy two or more cloud providers to better manage data. Over the past year, data security in the cloud has become increasingly complex (from 44% to 55%). Unfortunately, this makes cloud resources a leading target for attackers, particularly for healthcare (78%) over other industries (67%).