On October 1, the compliance deadline for New York State’s new hospital cybersecurity regulations took effect, a move expected to influence security standards for healthcare providers across the nation. Chris Stucker, deputy Chief Information Security Officer (CISO) at Froedtert ThedaCare Health in Wisconsin, forecasts significant shifts as organizations evaluate their cybersecurity protocols in light of these stringent requirements.
The new rules include a range of mandates, such as implementing multifactor authentication, conducting thorough risk assessments, establishing incident response plans, and appointing a qualified CISO. Previously, hospitals in New York were required to report cyber incidents to the state health department within 72 hours, a requirement implemented in October 2024. “The 72-hour incident reporting isn’t overly burdensome,” Stucker noted. However, he anticipates that other facets of the regulations will present challenges, particularly as these standards ripple beyond New York’s borders.
Stucker emphasized the imperative of designating a qualified CISO, highlighting that this role cannot be filled by individuals without requisite experience. He stated, “It can’t just be ‘Brad’ from accounting anymore, who built a PC once,” indicating a pressing need for skilled professionals in this critical cybersecurity position. His insights reflect broader industry concerns about the availability of qualified cybersecurity talent.
As the sector looks towards New York for guidance, Stucker described the state as a “huge test lab,” where the effectiveness of new regulations will be assessed. He predicts that as the regulations unfold, organizations—including insurers—will begin to align their operations with these standards. Within the next couple of years, he expects that questions about compliance with New York’s regulations will become commonplace on cyber insurance applications, thereby elevating the industry benchmark for security practices.
During a recent interview, Stucker also discussed other pertinent topics, including the potential for New York hospitals to recruit CISOs from other regions, the implications of civil class action lawsuit protective measures in states like Utah, and ongoing projects at Froedtert ThedaCare, such as a comprehensive identity overhaul.
Stucker’s role at Froedtert ThedaCare entails steering enterprise security strategy amidst rapid modernization—an effort encompassing identity transformation, cloud resilience, and the adoption of a zero-trust framework. With over 20 years in the field, he has navigated various roles that spanned mergers, crisis management, and systemic transformation initiatives. Additionally, Stucker serves as an adjunct professor at Southern Utah University and previously held leadership positions at multiple organizations, including Banner Health and Thomas Jefferson University Hospitals, following a career in military intelligence as a U.S. Army officer.
This evolving landscape of cybersecurity regulation in New York undoubtedly resonates with business owners across the United States, serving as a reminder of the critical importance of robust security measures. The expectations set forth by New York State may well inform national practices, especially as healthcare facilities confront the realities of cyber threats, which continue to grow in frequency and sophistication.
