In a New York state of mind – Recent legal and enforcement considerations

As I am writing this, it’s December. For those who have been to New York City during the Holiday Season, it provides a feast for the senses – visual, olfactory, and auditory. The experience is nothing short of amazing and I remain in awe, regardless of the number of times that I have been in December.

It is well-known that any holiday is a prime time for a cyberattack. In light of this, now is a good time to review a recent New York Attorney General (NY AG) enforcement action, the New York State Department of Financial Services’ (NYSDFS) amendments to Part 500 of its Cybersecurity Regulations, and proposed cybersecurity regulations to strengthen cyber requirements for hospitals.

NYAG enforcement action involving a radiology group

On Nov. 8, the NY AG announced a $450,000 settlement with a radiology group for “failing to protect its patients’ personal and health care data.” As part of the settlement for a breach involving 92,000 New Yorkers, which stemmed from making a decision not to upgrade hardware, which left it susceptible to the ransomware attack it experienced, US Radiology also agreed to “update its IT infrastructure, properly secure its networks, and update its data security policies.” This serves as a lesson for all covered entities and business associates – government agencies are vigorously pursuing companies who shirk their cybersecurity duties, both at the state and federal level by not having adequate technical, administrative, and physical safeguards in order to protect the confidentiality, integrity, and availability of individual’s sensitive and health information.

NYSDFS – Part 500 cybersecurity amendments

On Nov. 1, Governor Hochul announced that NYSDFS was amending Part 500, which affects regulated entities—institutions operating under or required to obtain a license or similar authorization under New York’s insurance law, banking law, or financial services law (collectively “Regulated Entities”). The first significant change and second amendment to the Cybersecurity Regulations (23 NYCRR 500) since their 2017 inception, new information security compliance obligations for Regulated Entities resemble HIPAA requirements and went into effect on December 1, 2023 (with some exceptions for small businesses), with an adoption date of April 29, 2024, for most provisions. Here are some key take-aways:

• The term “affiliate” is similar to a “business associate” under HIPAA;
• Distinguishes between a “cybersecurity event” and a “cybersecurity incident” (notably, once the situation has been deemed a “cybersecurity incident” then reporting requirements to various agencies commence);
• Addition of “multi-factor authentication” requirements; and
• An annual risk assessment.

NYAG proposed cybersecurity regulations for hospitals

In August 2023, New York Governor Hochul announced theNew York State Cybersecurity Strategy to raise awareness and highlight cyber threats. The strategy, in addition to the Federal Bureau of Investigation’s estimate that New York was third in a state ranking of citizens impacted by cybercrimes, healthcare and the related disruption of services was also mentioned.

On November 13, 2023, Governor Hochul announced that she was increasing the NY budget and allotting “$500 million that health care facilities may apply to upgrade their technology systems to comport with proposed regulations”, which were scheduled to be published on December 6, 2023. In essence, a grant. The purpose of:

[t]he proposed regulations aim to strengthen the protections on hospital networks and systems that are critical to providing patient care, as a complement to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule that focuses on protecting patient data and health records. Under the proposed provisions, hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.

All of these New York initiatives highlight the increased scrutiny on cybersecurity at both a state and a federal level. New York is providing resources to hospitals to encourage compliance with the regulations, much like the federal Meaningful Use Program, which was implemented to encourage the legal and secure adoption of electronic health record systems. Training, annual risk assessments (HIPAA’s risk analysis equivalent), and updated policies and procedures cannot be emphasized enough. Indeed, cybersecurity is a “New York state of mind.”

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.