N.Y. Comp. Codes R. & Regs. tit. 10 § 405.46

Current through Register Vol. 46, No. 43, October 23, 2024

Section 405.46 - Hospital Cybersecurity Requirements

(a) Applicability. This section shall apply to all general hospitals licensed pursuant to article 28 of the Public Health Law, referred to throughout this section as "hospitals."

(b) Definitions. For the purposes of this section the following terms shall have the following meaning:

(1) "Authorized user" means any employee, contractor, agent or other person that participates in or operates on behalf of the operations of a hospital and is authorized to access and use any information systems and data of such hospital.

(2) "Control" means any mechanism, safeguard, policy or security measure that is put into place pursuant to implementation specification, to satisfy the requirement for a security measure.

(3) "Compensating Control" means any alternative measure that is put into place to satisfy the requirement for a security measure, where the implementation specification for that requirement is deemed not reasonable or appropriate to implement. The hospital must document why it would not be reasonable and appropriate to implement the implementation specification; and implement an equivalent alternative measure if reasonable and appropriate.

(4) "Cybersecurity event" means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse the hospital's information system or information stored on such information system, including but not limited to health records.

(5) "Cybersecurity incident" means a cybersecurity event that:

(i) has a material adverse impact on the normal operations of the hospital, or;

(ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or

(iii) results in the deployment of ransomware within a material part of the hospital's information systems.

(6) "Information system" means a discrete set of electronic information resources organized for the collection, processing, storage, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. One such example is an electronic health records system.

(7) "Multi-factor authentication" means authentication through verification of at least two of the following types of authentication factors:

(i) knowledge factors such as a password

(ii) possession factors such as a token

(iii) inherence factors, such as a biometric characteristic

(8) "Nonpublic information" means all electronic information that is not publicly available information and is:

(i) a hospital's business-related information, the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of such hospital;

(ii) any information concerning a natural person which because of name, number, personal mark, or other identifier can be used to identify such natural person. This includes any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired, in combination with any one or more of the following data elements:

(a) social security number;

(b) drivers' license number or non-driver identification card number;

(c) account number, credit or debit card number in combination with any required security code or access code;

(d) password or other information that would permit access to an individual's financial account;

(e) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code or password;

(f) biometric information, meaning data generated by electronic measures of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or a username or email address in combination with a password or security question and answer that would permit access to an online account; or

(g) any information or data, in any form or medium created by, held by, transmitted by, or derived from a health care provider or an individual and that relates to:

(1) the past, present or future physical, mental or behavioral health, or condition of any individual or a member of the individual's family;

(2) the provision of health care to any individual; or

(3) payment for the provision of health care to any individual.

(9) "Penetration testing" is a test methodology in which assessors attempt to circumvent or defeat the security features of an information system from outside or inside the hospital's information systems.

(10) "Privileged account" means any authorized user account or service account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change or remove other accounts, or make configuration changes to information systems.

(11) "Publicly available information" means any information that a hospital has a reasonable basis to believe is lawfully made available to the general public from widely distributed media; or disclosures to the general public that are required to be made by Federal, State or local law. For the purposes of this paragraph, a hospital has a reasonable basis to believe that information is lawfully made available to the general public if the hospital has taken steps to determine that:

(i) the information is of the type that is available to the general public;

(ii) no individual who could have lawfully objected to the information being disclosed to the general public, has made such a request; and

(iii) disclosure to the general public would not violate other Federal, State, or local government laws, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA).

(12) "Risk assessment" means the risk assessment that each hospital must conduct under subdivision (h) of this section.

(c) Cybersecurity Program Requirements.

(1) Each hospital shall establish within its policies and procedures a cybersecurity program based on the hospital's risk assessment.

(2) The cybersecurity program shall be designed to perform the following core functions:

(i) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the hospital's information systems and the continuity of the hospital's business and operations;

(ii) use defensive infrastructure and the implementation of policies and procedures to protect the hospital's information systems, the continuity of the hospital's business and operations, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;

(iii) detect cybersecurity events;

(iv) respond to identified or detected cybersecurity events to mitigate any negative effects;

(v) recover from cybersecurity events and incidents and restore normal operations and services; and

(vi) fulfill applicable statutory and regulatory reporting obligations.

(3) Each hospital's cybersecurity program shall include policies and protocols to limit user access privileges to information systems that provide access to nonpublic information. Each hospital shall periodically review such access privileges, and such access privileges shall be based on the hospital's risk assessment, and other State and Federal laws, including but not limited to the administrative, physical and technical safeguards under HIPAA.

(4) Each hospital's cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the hospital, and procedures for evaluating, assessing and testing the security of externally developed applications utilized by the hospital. All such procedures, guidelines and standards shall be annually reviewed, assessed, updated and attested as such by the chief information security officer (CISO) (or a qualified designee) of the hospital.

(5) Each hospital's cybersecurity program shall include policies and procedures for the secure disposal, on a periodic basis, of any nonpublic information identified that is no longer necessary for business operations or for other legitimate business purposes of the hospital, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

(6) Each hospital's cybersecurity program shall implement security measures and controls, including encryption, to protect nonpublic information held or transmitted by the hospital, both in transit over external networks and at rest, which takes into account necessary controls identified in the hospital's risk assessment.

(i) To the extent a hospital determines that encryption of nonpublic information in transit over external networks is infeasible, the hospital shall instead secure such nonpublic information using effective compensating controls reviewed and approved by the hospital's CISO.

(ii) To the extent a hospital determines that encryption of nonpublic information at rest is infeasible, the hospital shall instead secure such nonpublic information using effective alternative compensating controls reviewed and approved by the hospital's CISO.

(iii) To the extent that a hospital is utilizing compensating controls under this paragraph, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed and documented by the CISO as needed to continue securing nonpublic information. Such reviews and associated documentation shall be completed at minimum on an annual basis.

(7) Each hospital's cybersecurity program shall implement security controls to mitigate risks arising from electronic mail-based threats, including but not limited to spoofing, phishing, and fraud. Such controls shall be reviewed and updated on a regular basis to ensure their effectiveness against evolving threats.

(d) Cybersecurity policy.

(1) Each hospital shall maintain and implement policies and procedures for the protection of its information systems and nonpublic information stored on those information systems, and the continuity of the hospital's business and operations, in accordance with the hospital's risk assessment and applicable State and Federal laws and regulations. The hospital shall be responsible for developing and enforcing the hospital's cybersecurity policy, and overseeing and implementing the hospital's cybersecurity program, established pursuant to subdivision (c) of this section.

(2) The hospital's cybersecurity policy, upon recommendation by the CISO shall be approved by the hospital's governing body, established pursuant to section 405.2 of this Part. If a committee is established for the specific purpose of supervising the hospital's cybersecurity measures, the committee shall present the cybersecurity policy to the governing body for full approval and implementation.

(3) The cybersecurity policies shall be based on the hospital's risk assessment and address, at a minimum, the following topics:

(i) information security;

(ii) data governance and classification;

(iii) asset inventory and device management;

(iv) access controls and identity management;

(v) business continuity and disaster recovery planning and resources;

(vi) systems operations and availability concerns;

(vii) systems and network security;

(viii) systems and network monitoring;

(ix) systems and application development and quality assurance;

(x) physical security and environmental controls;

(xi) patient data privacy;

(xii) vendor and third-party service provider management;

(xiii) risk assessment as defined in subdivision (h) of this section;

(xiv) training and monitoring as defined in subdivision (l) of this section; and

(xv) overall incident response as defined in subdivision (m) of this section;

(e) Chief Information Security Officer.

(1) Each hospital shall designate an individual from senior- or executive-level staff, qualified in training, experience, and expertise, to serve as the hospital's Chief Information Security Officer, or "CISO."

(2) Notwithstanding the provisions set forth in subdivision (i) of this section, the hospital's CISO may be an employee of the facility, or an employee of a third-party or contract vendor. If the CISO is an employee of a third-party or contract vendor, the governing body, as defined under section 405.2 of this Part, shall approve the contract on an annual basis.

(3) The CISO of each hospital shall report in writing, at least annually to the hospital's governing body, on the hospital's cybersecurity program and material cybersecurity risks. Such report shall, at minimum include:

(i) the confidentiality of nonpublic information and the integrity and security of the hospital's information systems;

(ii) the hospital's cybersecurity policies and procedures, including their implementation status and any recommendations for revisions;

(iii) material cybersecurity risks to the hospital;

(iv) overall effectiveness of the hospital's cybersecurity program; and

(v) any cybersecurity incidents as defined in subdivision (b) of this section involving the hospital during the time period addressed by the report, as well as steps taken to mitigate future events. (f) Testing and vulnerability assessments.

(1) The cybersecurity program for each hospital shall include monitoring and testing, developed in accordance with the hospital's risk assessment, designed to assess the effectiveness of the hospital's cybersecurity program and assess changes in information systems that may create or indicate vulnerabilities.

(2) The monitoring and testing shall include at a minimum:

(i) penetration testing of the hospital's information systems by a qualified internal or external party at least annually based upon the hospital's risk assessment;

(ii) automated scans or manual or automated reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the hospital's information systems based on the risk assessment; and

(iii) timely remediation of vulnerabilities based on the risk they pose to the hospital.

(g) Audit Trails and Records Maintenance.

(1) Each hospital shall securely maintain systems that are designed to support normal operations and obligations of the hospital. Records pertaining to systems design, security, and maintenance supporting such normal operations shall be maintained for a minimum of six years.

(2) Each hospital shall also securely maintain systems to include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the hospital, and cybersecurity incidents as defined in subdivision (b) of this section. Records pertaining to such audit trail systems shall be maintained for a minimum of six years.

(3) Designs for the security systems and audit trails required pursuant to paragraphs (1) and (2) of this subdivision shall be based on the hospital's risk assessment.

(h) Risk assessment.

(1) Each hospital shall conduct an accurate and thorough annual risk assessment of the hospital's potential risks and vulnerabilities to the confidentiality, integrity, and availability of nonpublic information, such as electronic protected health information, held by the hospital, and the continuity of the hospital's business and operations, as well as information systems sufficient to inform the design of the cybersecurity program as required by this section. Such risk assessment shall be updated as reasonably necessary, and no less than annually, and address changes to the hospital's information systems, nonpublic information or business operations supported by those information systems. The risk assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the hospital's business operations, nonpublic information collected or stored, information systems utilized and the availability and effectiveness of controls to protect nonpublic information and information systems. Risk assessments performed for other regulatory purposes, such as HIPAA, shall be acceptable under this provision provided they comport with the requirements of this subdivision. Other risk assessments performed for other regulatory purposes, such as HIPAA, may be extended to comply this section and incorporate other risk assessments performed by qualified internal or external parties.

(2) The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall, at a minimum include:

(i) criteria for the evaluation and categorization of identified cybersecurity risks, vulnerabilities, and threats facing the hospital;

(ii) criteria for the assessment of the confidentiality, integrity, security and availability of the hospital's information systems and nonpublic information, including the identification and adequacy of existing controls in the context of identified risks, the determination of the likelihood of threat occurrence and the determination of the potential impact on threat occurrence, and the determination of the level of risk; and

(iii) requirements describing how identified risks and threats will be mitigated or accepted based on the risk assessment and how the cybersecurity policies and programs will address the risks.

(i) Cybersecurity personnel.

(1) Each hospital shall utilize qualified cybersecurity personnel of the hospital, an affiliate or a third-party service provider sufficient to manage the hospital's cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in subdivision (c) of this section and in accordance with the hospital's risk assessment.

(2) Each hospital may utilize an affiliate or qualified third-party service provider to assist in complying with the requirements set forth in this section.

(j) Security policies for third-party service providers.

(1) Each hospital shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. Such policies and procedures shall be based upon the hospital's risk assessment and shall, at a minimum, address the following:

(i) the identification and baseline assessment (if applicable) of third-party service providers; and

(ii) minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the hospital.

(2) Such policies and procedures shall include relevant guidelines for due diligence and contractual protections relating to third-party service providers, including, at a minimum, guidelines addressing:

(i) ensuring third-party service provider's policies and procedures for access controls are consistent with industry standards;

(ii) the third-party service provider's policies and procedures for use of encryption or another method to protect nonpublic information in transit and at rest;

(iii) notice to be provided to the hospital in the event of a cybersecurity incident directly impacting the hospital's information systems or the hospital's nonpublic information being held by the third-party service provider; and

(iv) representations and warranties addressing the third-party service provider's cybersecurity policies and procedures that relate to the security of the hospital's information systems or nonpublic information.

(k) Identity and Access Management.

(1) Each hospital shall use multi-factor authentication, risk-based authentication, or other compensating control to protect against unauthorized access to nonpublic information or information systems.

(2) Multi-factor authentication shall be utilized for any individual accessing the hospital's internal networks from an external network, unless the hospital's CISO has approved in writing the use of compensating controls.

(3) Each hospital shall limit user access privileges to information systems that provide access to nonpublic information to only those necessary to perform the user's job.

(4) Each hospital shall separate non-privileged and privileged accounts.

(5) Each hospital shall limit the number of privileged accounts and limit the access functions of privileged accounts to only those necessary to perform the user's job.

(6) Each hospital shall limit the use of privileged accounts to only when performing functions requiring the use of such access.

(7) Each hospital shall periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary.

(8) Each hospital shall disable or securely configure all protocols that permit remote control of devices.

(9) Each hospital shall promptly terminate access following departures.

(l) Training and monitoring.

As part of its cybersecurity program, each hospital shall, at a minimum:

(1) Implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users.

(2) Provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the hospital in its risk assessment, which may include annual phishing exercises and training/remediation for employees.

(m) Incident response plan.

(1) As part of its cybersecurity program, each hospital shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity incident materially affecting the confidentiality, integrity or availability of the hospital's information systems or the continuing functionality of any aspect of the hospital's business or operations.

(2) Such incident response plan shall, at a minimum, address the following areas:

(i) the goals of the incident response plan;

(ii) the definition of clear roles and responsibilities, a list of actual personnel and both business hour and off-business hour contact information with levels of decision-making authority;

(iii) external and internal communications and information sharing about any incidents;

(iv) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

(v) the internal processes for responding to a cybersecurity event including, at a minimum, mitigation, downtime procedures and contingency plan, and process for determining if a cybersecurity event becomes a cybersecurity incident, and processes for determining if a cybersecurity incident has a material adverse impact on the hospital;

(vi) documentation and reporting regarding cybersecurity events and related incident response activities; and

(vii) the evaluation and revision as necessary of the incident response plan following a cybersecurity event.

(n) Department Reporting.

(1) The hospital or their designee shall notify the department as promptly as possible, but no later than 72 hours after determining a cybersecurity incident, as defined in subdivision (b) of this section, has occurred, in a manner prescribed by the department. Notification to the department under this section does not replace any other notifications required under State or Federal laws or regulations.

(2) Each hospital shall maintain and submit for examination, in such time and manner and containing such information, as the department determines to be necessary, including but not limited to any and all documentation, such as records, schedules, reports, and data required and supporting the required documentation by this section. All such documentation must be maintained for a minimum of six years.

(3) To the extent a hospital has identified areas, systems or processes that require material improvement, updating or redesign, the hospital shall document the identification and the remedial efforts planned, and underway, to address such areas, systems or processes. Such documentation must be available for inspection by the department, in such time and manner as prescribed by the department, and must be maintained for a minimum of six years.

(o) Confidentiality.

Information provided by a hospital pursuant to this Part shall be subject to the applicable provisions of the Public Health Law, Mental Hygiene Law, Education Law, and the Public Officers Law or any other applicable State or Federal law or regulations in relation to disclosure.

(p) Compliance period.

(1) Covered entities shall have one year from the effective date of this section to comply with the requirements set forth in this section, provided, however, subdivision (n) of this section shall be effective immediately upon adoption.

(q) Severability.

If any provision of this section or the application thereof to any person or circumstance is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of this section or the application thereof to other persons or circumstances.

N.Y. Comp. Codes R. & Regs. Tit. 10 § 405.46

Adopted New York State Register October 2, 2024/Volume XLVI, Issue 40, eff. 10/2/2024