Recent cybersecurity regulations in New York state have significantly heightened compliance requirements for certain hospitals, presenting new challenges for data governance. Matthew Bernstein, a consultant with Bernstein Data, highlighted that these regulations operate alongside the federal HIPAA security rule, complicating compliance for healthcare providers.
Introduced last year, New York State’s cybersecurity regulations mandate that hospitals report any cyber incidents to the state health department within 72 hours, a requirement set to take effect in October 2024. The remaining compliance obligations, which include a comprehensive array of security measures such as multifactor authentication, risk assessments, designating a Chief Information Security Officer (CISO), and crafting incident response plans, will officially begin on October 1, 2025.
The scope of data these regulations protect is extensive, encompassing not only HIPAA-covered health information but also personally identifiable information (PII) and business data. According to Bernstein, the challenge lies in identifying and managing this larger spectrum of sensitive data effectively.
Bernstein points out that the nature of compliance under these new regulations requires a robust framework for determining what data needs protection, with risk assessments that differ markedly from previous standards. He advises that it is crucial for organizations to demonstrate to regulators a structured plan for achieving compliance, even if complete adherence cannot be realized immediately.
In a recent audio interview with Information Security Media Group, Bernstein elaborated on the distinctions between New York’s regulations and HIPAA, explaining the state’s prescriptive approach to system-wide and annual risk assessments and addressing issues of data sprawl within healthcare settings.
Bernstein has a long-standing background in information governance, having led information management practices in various global financial institutions, including Deutsche Bank, for over two decades. Before establishing Bernstein Data, he held the position of head of group information and records management at Deutsche Bank, overseeing records management, archiving, and eDiscovery operations on a global scale.
This new landscape of cybersecurity compliance will require hospitals to engage in meticulous data governance strategies and necessitates awareness of emerging threats in the evolving cyber landscape. As institutions prepare for these upcoming regulations, they must also be cognizant of potential adversary tactics recognized in the MITRE ATT&CK framework, such as initial access, persistence, and privilege escalation, which can inform their cybersecurity efforts.
As the implementation dates approach, proactive measures around data protection will be essential, ensuring that healthcare providers stay ahead of regulatory requirements while safeguarding sensitive information against potential breaches and vulnerabilities.
