In an effort to address cybersecurity threats in hospitals in New York, the state Department of Health proposed a new rule in December aimed at safeguarding hospital systems and nonpublic information.
The proposed regulation, which is open for public comment until Feb. 5, would require hospitals to establish a cybersecurity program and take steps to assess internal and external risks.
The rule is meant to build on the Health Insurance Portability and Accountability Act and is not intended to replace any of the HIPAA security rule’s requirements.
Compliance with the HIPAA security rule, by way of aligned policies and procedures, a holistic risk analysis, and control implementation against the implementation specifications, forms the bedrock of conformity with the proposed New York regulation. But compliance with the HIPAA security rule is only meant to serve as a starting point in addressing the proposed regulation.
It’s important to note, too, there are nuances to the proposed regulation that are unique and may require a reconsideration of control processes that satisfy the requirements of the HIPAA security rule (and some elements of the Breach Notification Rule).
Important considerations for hospitals
To that end, the following may require a topical refresh to ensure continued alignment:
- Cybersecurity program, policies and procedures: While these should be aligned to an organization’s HIPAA security policies and procedures, it would be prudent to revisit existing policies and procedures to ensure alignment with the language in the proposed regulation, supplementary to any existing HIPAA verbiage.
- Chief information security officer: There is greater detail in the proposed regulation as to specific responsibilities and reporting requirements of a hospital’s CISO that should be reflected in existing governance documentation. This detail would be in addition to the assigned security responsibility verbiage found in the HIPAA security rule.
In addition, the following are some marked differences proposed in the new rule from the existing regulations. New York hospitals may want to consider updating or enhancing current policies in anticipation of these changes. Considerations include:
- Covered data set: Define data. It should be fundamentally noted that the proposed data set covered by the proposed cybersecurity regulation is defined as non-public information which includes a broader set of information than HIPAA’s protected health information. Non-public information includes all information that is not publicly available including “business-related information, the tampering with which, or unauthorized disclosure, access or use of which would cause a material adverse impact to the business, operations or security” and payment card/financial information (account number, credit or debit card number).
- Audit trails and retention: Ensure adequate definition of logs relating to cybersecurity events (that have a reasonable likelihood of materially harming any part of the normal operations of the hospital) and incidents are required to be retained for six years. Also, reevaluate log retention capabilities and capacity, and determine which systems that might process nonpublic information are not currently capturing audit logs.
- Cybersecurity personnel: Reevaluate documentation surrounding cybersecurity roles and responsibilities in job descriptions, organizational charts, and in cybersecurity plan and program governance documents. If using a third-party service provider to co-administer or support the cybersecurity program, standard operating procedures and controls should be explicitly defined to govern that relationship.
- Third-party vendor management: Reevaluate third-party vendor management controls and processes such as data security requirements and due diligence procedures performed for third parties that process nonpublic information to ensure compliance with minimum cybersecurity practices.
- Multi-factor authentication: HIPAA does not expressly require multi-factor authentication (MFA); however, it is encouraged so as to ensure minimum necessary access to covered data. Not all systems within the organization that access, transmit, store, delete or otherwise process nonpublic information or ePHI (electronic protected health information) may have this feature enabled or available. In which case, documentation should be developed to ensure that where MFA is not possible, there is a formalized business rationale and documented compensating controls in place and approved by the CISO to support a risk-based approach.
- Incident reporting: Existing incident response plan documentation and associated procedures may require updating to accommodate the two-hour reporting requirements to the state for cybersecurity incidents that have occurred and have had a material adverse impact on the hospital, which is unique to the proposed regulation.
How to prepare?
New York hospitals should consider the following:
- Organizations should ensure full compliance with the HIPAA security rule as well as the intention of the requirement as expressed through the Office for Civil Rights pronouncements, settlement agreement text and commentary, rule commentary, and the OCR audit protocol.
- If the status of HIPAA compliance is not clearly understood by leadership, an assessment should be performed to identify any compliance gaps and to begin remediation thereof. Remediation efforts may take a considerable amount of time or investment.
- If an organization currently operates a high-performing security program that is in compliance with the HIPAA security rule and aligned to an industry cybersecurity framework, these New York state proposed rule changes should not require significant effort to update polices, processes or technologies.
- Identify and formally document compensating controls as the proposed regulation implies a level of risk-based flexibility in the design of protections similar to the HIPAA security rule.
Until the rule is published, commented on and finalized, significant changes may occur in the proposed legislation. In other similar efforts, the comment period has sometimes resulted in the refinement of the requirements, or in the clarification of terms and definitions, to ensure the scope and technical aspects of the requirements are clear and reasonable for all size facilities. However, once the requirements are finalized, New York hospitals will have one year to comply. Incident reporting requirements are effective immediately upon rule adoption.
RSM contributor: Jason Pymento, RSM US LLP