In October 2024, the New York State Department of Health (NYSDOH) adopted new cybersecurity requirements as part of their regulations for hospitals – a move that signifies “a step toward more prescriptive healthcare cybersecurity requirements” for the healthcare industry. The team at Zilla Security is helping customers understand and implement the NYSDOH cybersecurity requirements, which include specific identity and access management mandates.
We wanted to dig a bit deeper into the specific requirements of the NYSDOH cybersecurity regulations and highlight how hospital IT teams can achieve and track compliance.
What are the NYSDOH cybersecurity requirements?
There’s quite a bit packed into the new requirements. Their intent is to ensure that hospitals across the state “maintain a minimum level of readiness to prepare for, respond to, and quickly recover from cybersecurity incidents.”
Effective immediately, all general hospitals in the state of New York must begin reporting cybersecurity incidents to the NYSDOH no later than 72 hours after an incident has been identified. Additionally, hospitals must comply with specific cybersecurity requirements by October 2025, including:
- Establishing a cybersecurity program with specific protocols, procedures, and core functions
- This includes requirements for audit trails and records maintenance and retention; IT staffing; and cybersecurity training and monitoring
- It also requires hospitals to employ multi-factor authentication, risk-based authentication or other controls to protect against unauthorized access to Nonpublic Information or information systems
- Hospitals must conduct user access reviews at least annually, including disabling any unnecessary access and promptly terminating access upon an employee’s departure
- Designating a Chief Information Security Officer
- Risk assessments and considerations for policies and procedures based on the results
My hospital is HIPAA compliant – What’s the difference?
The NYSDOH regulations are intended to supplement and extend the Health Insurance Portability and Accountability Act (HIPAA) security rules. While HIPAA is focused on safeguarding protected health information (PHI) and personally identifiable information (PII), the state regulations extend that protection to Nonpublic Information – such as “the systems that support the continuity of patient care across the hospital ecosystem.”
The state regulations are focused on ensuring hospitals are resilient against cyber attacks. The ultimate goal is to enhance preparedness for cyber attacks targeting healthcare organizations without prescribing specific technologies, programs, or software.
How Identity Governance Solutions Can Help with NYSDOH Compliance
As hospitals develop and launch their cybersecurity program and roll out governance processes, modern identity governance solutions can help achieve and maintain compliance with these new cybersecurity requirements, as well as develop detailed reports that satisfy audit and evidence requirements. As hospitals look to implement a solution, there are a few specific benefits that an IGA solution like Zilla can provide to support compliance, including visibility into identities and automation for user access reviews.
Complete Visibility Across the Entire Identity Ecosystem
- You can’t protect what you can’t see. Gain granular visibility into both the human and non-human identities as the hospital integrates new applications, provisions new users, and conducts access reviews
- Develop comprehensive audit trails with robust evidence packages to satisfy even the most stringent government and industry audit requirements
Defend Against Unauthorized Access with Automated User Access Reviews
- Automate the end-to-end process for conducting user access reviews, from app integration, to campaign coordination and reviewer communication, to a robust evidence package
- Leverage federated pre-approvals for reviews to give valuable time back to busy supervisors and app owners; Zilla can reduce the number of permissions requiring review by up to 75% while still providing an auditor-friendly evidence trail
- Ensure least-privilege access to Nonpublic Information, PHI and PII
- Proactively identify and remediate potential exposure from orphaned accounts, excessive permissions, and policy violations
It may seem like a daunting task to add such significant requirements within a hospital in one year (especially with IT budgets as lean as they are) – but it is possible. Zilla can help customers work towards compliance with these new requirements. Book a demo today to learn more!