By Todd Moore, vice president of data security products, Thales.
On Nov, 13, 2023, New York Governor Kathy Hochul proposed a new set of cybersecurity rules for state hospitals. This includes a mandate that hospitals must develop their own programs and response plans and appoint chief information security officers (CISOs). The regulations are part of a statewide cyber strategy that Hochul launched in August to improve cyber resilience as attacks continue to rise.
The strategy is built on three central principles: Preparedness, Resilience, and Unification. It is also New York’s first roadmap to mitigate cyberthreats and attacks and has a long road ahead to combat the growing phishing and ransomware attacks across the state.
Are the regulations up to the task? Let’s take a look.
Tackling multiple cybersecurity threats in recent years may have weathered healthcare’s capacity for self-defense. But the industry is still more vulnerable than most. According to the Thales 2023 Healthcare and Life Sciences (HLS) Report, 71% of healthcare organizations have cited an increase in ransomware attacks this year, far higher compared to other industries at 49%. The higher frequency is mainly due to the vast personal data they store (medical records, PII, etc.) that present a goldmine for identity theft.
Under Hochul’s proposal, preparedness will involve providing advice and guidance to ensure New Yorkers are empowered to take charge of their own cybersecurity. Healthcare facilities will have to develop their own cyber programs and incident response plans, with written policies, procedures, and regular risk and response assessment tests in place.
From a glance, these give facilities a good foundation on which to establish their cybersecurity strategies, particularly for the less tech-savvy ones. But while the regulations are a good starting point and may develop expansively, right now we’ve only gotten high-level objectives. There isn’t a clear direction for managing crucial resources in use, such as the cloud, which could undermine Hochul’s efforts to foster resilience and unification.
We live in a multi-cloud reality. Nearly 90% of healthcare respondents deploy two or more cloud providers to better manage data. Over the past year, data security in the cloud has become increasingly complex (from 44% to 55%). Unfortunately, this makes cloud resources a leading target for attackers, particularly for healthcare (78%) over other industries (67%).
Under the resilience principle, the NY governor will expand the scope of cybersecurity regulations, minimum security standards, requirements, and recommendations so that New York’s critical infrastructure is better protected.
All well and good, except the objectives give little clarification on what constitutes ‘critical state infrastructure.’ Does the cloud fall under this category? To what degree? If lack of clarity persists, it will have severe consequences, at the very least making it difficult for healthcare facilities to simply ‘switch over’ to align with state cyber regulations and leaving data vulnerable to attack.
On the bright side, Hochul’s strategic pillars do account for talent and leadership. According to healthcare respondents, human error (76%) is the leading reported cause of cloud data breaches, often due to lack of cybersecurity know-how for the average employee. New York is working to grow its talent pool by continuing cybersecurity education and workforce development. It also requires that CISOs be hired to drive leadership and review/update policies annually. With greater education, talent, and leadership, the threat of human errors may lessen.
One major challenge in healthcare security is unequal access to key resources, such as talent, funding, and information, which indirectly affects the industry’s cybersecurity efforts.
Hochul’s regulations intend to help fix this problem, increasing accessibility to cybersecurity resources so that the state’s most sophisticated defenses are available to its least well-resourced entities and the industry can present a unified front before attackers. As part of this effort, Hochul will continue collaborating with key stakeholders, and grant healthcare facilities a $500 million budget to upgrade their technology systems so they are regulatory compliant with advanced tools and digital records to improve patient care, access, and experience.
It’s a big step forward in establishing state-level cybersecurity standards across health facilities. But the proposal does not narrow down its key investments. The Thales report has identified Identity and Access Management (IAM) as a top mitigating control for data breaches. In the last year, strong Multifactor Authentication (MFA) adoption barely increased by 1% among healthcare organizations.
Furthermore, on average, only 45% of sensitive data is encrypted across healthcare organizations. Modern authentication and encryption access are critical to addressing today’s authentication risks. As data-sharing between hospitals becomes more common, investing in encryption for data-at-rest and data-in-motion can help facilities advance secure unification.
But not everything here is a point for concern. For one, rendering MFA as mandatory will likely accelerate its adoption across hospitals. For another, the governor is promising the funds to match her guidelines. This is much better than other regulations, where high-level guidance is rarely given the budget to implement it. The $500M will be enough and the 1-year timeframe is aggressive, but the budget is a step forward in state efforts to secure NY’s virtual healthcare borders.
Are Hochul’s regulations enough?
The NY governor’s proposed regulations are currently under review by NY’s Public Health and Health Planning Council. If approved, healthcare facilities will have a one-year timeline within which to ensure compliance. From the current state of healthcare cybersecurity, this may not be enough time to ensure state-wide accessibility and implementation. It takes time to grow specialized talent and effectively deploy tools to replace existing systems. The regulations are positive but broad and lack clarity.
It’s clear that healthcare must act fast if it wants to prevent far greater attacks and losses in the future. Hochul’s focus on advancing talent, information-building and accessibility, and funding for investment are a great starting point. But upgrading tools can become overwhelming if not narrowed down. For these upgrades to be effective, Hochul should focus on three key areas – encryption, access management control, and digital sovereignty. A targeted strategy will help the regulations to optimize healthcare security operations and ultimately secure its barriers without having to compromise on growth.