New York regulators Monday plan to issue cybersecurity regulations for hospitals, after a series of attacks crippled operations at medical facilities. From a report: Under draft rules reviewed by The Wall Street Journal, New York will require general hospitals to develop and test incident response plans, assess their cybersecurity risks and install security technologies such as multifactor authentication. Hospitals must also develop secure software design practices for in-house applications, and processes for testing the security of software from vendors. Hacking “is a threat to every hospital, and my firm belief is if we protect the hospital, we’re protecting the patients,” said James McDonald, health commissioner for New York state.
Healthcare facilities are popular targets for cybercriminals, particularly ransomware operators hoping for quick ransom payments from administrators worried about risks to patients if technology goes down. Hospitals also hold large amounts of sensitive personal information on their staff and patients, including health and financial data. In August, the largest healthcare accreditation body in the U.S. issued cybersecurity guidelines calling for hospitals to prepare for cyberattacks that could take down critical systems for a month or longer — measures that will require significant investment. Hospitals need to put in place tools and processes that anticipate technology critical for life and safety could be down, and find alternative ways to work without those systems, the nonprofit Joint Commission said.