Intraprise Health, a leading healthcare cybersecurity company, has issued a public statement in support of New York State’s stricter requirements for healthcare cybersecurity. The company is calling on other states to adopt similar measures.
“We applaud New York for being the first to address this critical issue at the state level,” said Intraprise CEO George Pappas. “Despite the recent plague of cyberattacks, too many healthcare systems struggle to protect themselves, their patients and partners. It’s time for states to step forward and require improved security while providing some financial support.”
While the federal government considers national regulations, New York State is the first to regulate cybersecurity for its hospitals. It is enacting a new set of data protection requirements in addition to those in the federal Health Insurance Portability and Accountability Act (HIPAA). The state is creating a $500 million fund to help healthcare systems upgrade their technology systems to improve security.
The regulations, which take effect in 2025, require hospitals to conduct an annual risk assessment of the hospital’s potential risks and vulnerabilities and establish a cybersecurity program based on that assessment. At minimum, the program must include:
- Identifying cybersecurity risks that could affect the storage of nonpublic information
- The use of defensive infrastructure and the implementation of policies and procedures to protect information systems from unauthorized access
- Detection of cybersecurity events
- Responding to and recovering from cybersecurity events and restoring normal operations
- Meeting applicable statutory and regulatory reporting obligations
It also requires hospitals to establish a chief information security officer role to enforce the new policies and update them as needed.
Healthcare has been wracked by a recent spate of cyberattacks, which have resulted in disruption of service, the theft of personal information, and expensive ransoms being paid to hackers.
A 2023 analysis by the federal Hospital Cyber Resiliency Initiative found that ransomware attacks are “an outsized and growing cyber threat to hospitals” and that hospitals are left vulnerable by variable adoption of critical security features and a continually evolving threat landscape.
“Healthcare is a complex landscape encompassing thousands of organizations with nearly as many approaches to cybersecurity,” Pappas said. “What many hospitals fail to recognize is that the safeguards and defense mechanisms that were adequate five to 10 years ago are no longer sufficient. Requiring upgrades, as New York State is doing, is the best way to ensure healthcare systems can repel attacks.”
Improving healthcare cybersecurity is becoming a priority at the federal level, as well. Congress is considering a Healthcare Cybersecurity Act, which would require the Department of Homeland Security and the Department of Health and Human Services to detect cyber threats and develop defensive measures.
Healthcare organizations increasingly are turning to cybersecurity experts, like Intraprise Health, for expertise and systems to defend themselves.
About Intraprise Health
Intraprise Health, healthcare’s leading compliance and cybersecurity organization, provides holistic visualization of your compliance and security posture. Their comprehensive services, backed by automation, rapidly integrate in native environments, yielding a comprehensive view of risk – spanning adherence to compliance frameworks, cybersecurity vulnerabilities, and third-party risk. Eliminate blind spots with Intraprise – the fifth HITRUST’s assessor since 2011.
