GNYHA Urges DOH to Pause Finalizing Proposed Cybersecurity Regulations

February 12, 2024

GNYHA submitted comments to the New York State Department of Health (DOH) urging the State to avoid misaligning Federal and State cybersecurity standards for hospitals by waiting to finalize their proposed regulations until updated Federal requirements are released.

The State’s proposed rule, which is significantly more expansive than current HIPAA regulations, arrives as the US Department of Health and Human Services (HHS) is preparing to impose new cybersecurity regulations on hospitals.

GNYHA expressed appreciation for New York Governor Kathy Hochul’s efforts to address the targeting of heath care institutions by cyber criminals, and we share her concerns about the ongoing spate of attacks on hospitals. However, GNYHA cautioned DOH about the confusion and expense hospitals would face from competing State and Federal requirements.

GNYHA encouraged DOH to convene the hospital cybersecurity roundtable announced in the Governor’s State of the State address to better understand what hospitals are already doing in cybersecurity preparedness and how the State can help hospitals’ efforts before announcing new regulations.

The comment letter included suggestions to modify the proposed rule should DOH finalize it before HHS acts. Finally, GNYHA noted that while the $500 million in last year’s budget for cybersecurity was very much appreciated, it could not be used to meet the demands of DOH’s regulations—if finalized as proposed—because that money is earmarked for capital expenses.