Monetary Incentives for New York State Hospitals to Enhance Cybersecurity

February 14, 2024

I know what you are thinking. Do healthcare organizations really need more robust controls and additional regulations to convince them to secure patient health information and protect patient safety?


The U.S. Department of Health and Human Services (HHS) thinks so, as they have announced a forthcoming 2024 update to the HIPAA Security Rule. HHS are expected to ask Congress for new laws and resources to increase civil monetary penalties for HIPAA violations, increase HIPAA enforcement and conduct proactive audits. This is on the heels of the Health Industry Cybersecurity Practices (HICP) that HHS introduced in 2021, as well as the more recent release of the healthcare-specific Cybersecurity Performance Goals (CPGs) that encourage organizations to strengthen their cybersecurity posture and maintain controls to meaningfully reduce risks and improve cybersecurity maturity.


Adding to this, New York governor Kathy Hochul introduced new cyber regulations for hospitals throughout New York in November 2023, requiring hospitals across the state to implement minimum security controls to safeguard health information and avoid delays in care because of cybersecurity events. Through these regulations, Governor Hochul has boldly sought to ensure patient safety and protect not only patient data, but more importantly, the lives of New York residents. To support this initiative, the state government is allocating $500 million from the 2024 budget to upgrade healthcare system technology systems to meet the proposed rule requirements.


The proposed update to the HIPAA Security Rule seeks to strengthen existing HIPAA requirements and require all hospitals to establish and maintain minimum cybersecurity standards and programs. What is important to note is that the proposed rule is subject to a 60-day comment period ending on February 5, 2024. Once the legislation is approved, hospitals will have one year to comply.



Regulatory Highlights

Here are the top 10 requirements for hospitals based on the bill:


  • Establish a formal, risk-based cybersecurity program and identify and assess all internal and external cybersecurity risks that might impact patient information and continuous care delivery.
  • Conduct an extensive and accurate risk assessment, as well as an external and internal penetration test of information systems, on at least an annual basis.
  • Require the hospital’s Chief Information Security Officer (CISO) to report at least annually to the hospital's governing body or board of directors about the hospital's cybersecurity program, including incidents, breaches, overall risk and program effectiveness.
  • Provide regular, ongoing cybersecurity awareness training for all personnel. This training should be continually updated to reflect risks identified in any risk assessment.
  • Implement audit trails to detect and respond to cybersecurity events and maintain those records for a minimum of six years.
  • Implement risk-based policies and controls to monitor the activity of authorized users and detect unauthorized access or use of nonpublic information.
  • Require multifactor authentication for any individual accessing the hospital’s internal networks from an external network.
  • Establish a program to manage third-party service providers and ensure the security of information systems, externally developed applications and nonpublic information that are accessible or maintained by the third party.
  • Implement a defense-in-depth infrastructure strategy to protect the hospital's information systems.
  • Implement formal incident response and disaster recovery policies to detect, respond to and recover from cybersecurity events.



Building a Cybersecurity Compliance Strategy

For most, the proposed cybersecurity regulations may seem like a logical extension to HIPAA Security requirements and may be already covered in current controls and processes. For organizations without a mature cybersecurity program, some of these requirements will require planning and allocation of dollars out of an already stretched budget.


At Optiv, we have worked with clients to develop strategies and approaches that will rapidly enable management of healthcare-specific risks. We have extensive experience guiding our clients through these challenging and sometimes confusing regulations. Optiv’s expertise allows healthcare organizations to identify risks and improve cybersecurity controls and hygiene through technical solutions and managed services. Optiv's strategy and risk management services identify cyber risk through various regulatory and compliance framework assessments. Our customizable governance, risk management and compliance (GRC) programs provide professional services and solutions structured to fulfill all planning, development and operationalization of GRC programs and control frameworks. From policy and procedure development to implementing control frameworks and GRC management tools and solutions, Optiv's strategy and risk management services and managed solutions help to reduce our client's risk exposure and optimize internal staff and support. Contact us to learn more about how you can meet compliance requirements and reduce risk.

Keith Forrester
Practice Manager - Strategy and Risk | Optiv
As a Practice Manager in Optiv’s Strategy and Risk Practice and responsible for Healthcare Service delivery, Keith leads a team of security professionals in the delivery of cybersecurity strategy, technology, and information risk management projects. He has over 25 years of information security governance and risk management experience supporting various industry sectors, including health care, technology, government, utility, and banking. His general background includes extensive experience delivering risk and regularity assessments, developing governance and compliance programs, and supporting vCISO engagements.

Keith is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), PCI-DSS Qualified Security Assessor (QSA), HITRUST Certified CSF Practitioner (CCSFP), Certified HITRUST Quality Professional (CHQP) and Lean Six Sigma – Greenbelt.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit