Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

New York Plans Cyber Rules for Hospitals (wsj.com) 24

New York regulators Monday plan to issue cybersecurity regulations for hospitals, after a series of attacks crippled operations at medical facilities. From a report: Under draft rules reviewed by The Wall Street Journal, New York will require general hospitals to develop and test incident response plans, assess their cybersecurity risks and install security technologies such as multifactor authentication. Hospitals must also develop secure software design practices for in-house applications, and processes for testing the security of software from vendors. Hacking "is a threat to every hospital, and my firm belief is if we protect the hospital, we're protecting the patients," said James McDonald, health commissioner for New York state.

Healthcare facilities are popular targets for cybercriminals, particularly ransomware operators hoping for quick ransom payments from administrators worried about risks to patients if technology goes down. Hospitals also hold large amounts of sensitive personal information on their staff and patients, including health and financial data. In August, the largest healthcare accreditation body in the U.S. issued cybersecurity guidelines calling for hospitals to prepare for cyberattacks that could take down critical systems for a month or longer -- measures that will require significant investment. Hospitals need to put in place tools and processes that anticipate technology critical for life and safety could be down, and find alternative ways to work without those systems, the nonprofit Joint Commission said.

This discussion has been archived. No new comments can be posted.

New York Plans Cyber Rules for Hospitals

Comments Filter:
  • by XXongo ( 3986865 ) on Monday November 13, 2023 @03:52PM (#64003143) Homepage
    Would be good rules for other businesses impacting the public, too, I'd think.
    • by Szeraax ( 1117903 ) on Monday November 13, 2023 @04:28PM (#64003225)

      I work at a bank. Our state already has quite rigorous audits that they put us through every year.

      * BC/DR plans created and actually tested?
      * Cybersecurity risk assessments as part of cyber insurance?
      * SDLC management and controls (including pen tests) for in-house applications?
      * Vulnerability scanning and remediation?
      * And more

      Banks are known for ~~taking advantage of people~~ being critical for residents, so gov't now heavily regulates and provides oversight on them (boy, I wish markdown worked on /.). Makes sense that hospitals are in the same boat.

      • by Midnight_Falcon ( 2432802 ) on Monday November 13, 2023 @05:34PM (#64003371)
        All of the things that you mention are already part of HIPAA, which is a federal law. The problem is enforcement is nonexistent unless there has been an actual breach. Then you get fined according to how much you neglected those guidelines.

        There is no such thing as a "HIPAA Audit" although numerous third party organizations like HITRUST offer them, they have no weight or bearing on legal compliance with HIPAA.

        • Healthcare has additional hurdles similar to the power producing industry that lead directly to increased vulnerability.

          Whether your concerns are for SCADA or for heart monitoring equipment, patching is a bitch to the point that a lot of environments simply don't do it unless they have to. Thankfully most of these applications undergo a lot more QA, but whether its Linux or Windows, patching is still required and a very good idea.

          When patching requires going through FDA recertification, most manufacturers

          • Under draft rules reviewed...

            Rules: regulations more or less unenforced and where the penalty is less than the cost of ignoring the requirements

            Laws: regulations where citizens get fined and/or go to jail for minor infractions

        • As someone who's done a HITRUST audit in the past, I can confirm that they are time consuming, require tons of paperwork, and really don't all all that much to improve your security posture.

          But, hey... I'm sure that the auditor firms who sponsored this legislation will be happy and the patients will get another line item on their medical bills to pay for the extra expenses.

    • >Would be good rules for other businesses impacting the public, too, I'd think.

      Most of what is listed in the summary is already required by HIPAA.

  • force the vendors to let us do OS updates on there hardware that runs there software.
    Let us say no they must have an remote link to there hardware.

  • IT costs (Score:4, Informative)

    by Archangel Michael ( 180766 ) on Monday November 13, 2023 @03:55PM (#64003147) Journal

    Good IT is expensive.

    Bad IT is costly.

    • vendors have to much control and IT can be stuck with having to make crap software work.

    • by Anonymous Coward

      Good laws are expensive, but are quite often very justified.

      Bad laws don't do anyone any good, and without laying down some legal protections for the InfoSec professionals New York assumes will lay their neck across the chopping block when the inevitable happens...all I can say is good luck convincing someone to fill that freshly-mandated CSO position that comes with a free necktie and axe.

      We all can appreciate common-sense security practices that should have been implemented decades ago, because common sen

    • The challenge is that good support is hard to find. When you find it then it is hard to maintain. If you manage to do it well, you still have risks from a lapse at a vendor.

      "Perfect is the enemy of good" but security requires perfection.

    • by gweihir ( 88907 )

      Yep. Unfortunately the bill does not usually go to the same people. That is why regulation is needed.

  • Awesome! (Score:4, Interesting)

    by peterww ( 6558522 ) on Monday November 13, 2023 @04:48PM (#64003269)

    Having worked at large health systems, they absolutely will not add security until they're legally required to. This is a great step forward. Now they just need to pass similar legislation for any organization which maintains sensitive records, like social security numbers and financial records.

  • One the biggest problems with hospitals is that they tend to be run by a board of doctors and IT has zero input at the higher decision making levels.
    • they tend to be run by a board of doctors and IT has zero input at the higher decision making levels

      I'm sure that IT ranks very low on the totem pole, but hospitals haven't been run by doctors for quite some time. In fact, it's generally illegal for doctors to have a management position in a hospital where they also see patients.

      I'm not going to pretend that doctors would absolutely be better overlords than standard-issue MBAs, but at least we understand the underlying business, and most doctor-owned hospitals were local affairs - not run by private equity groups from across the country.

      • Doctors that have become bureaucrats are still doctors. Sure the MDs running hospitals may not practice any more since they spend all their time running a hospital. But here is just one example in Albany NY, the state that is the topic of the article: https://www.sphp.com/about-us/... [sphp.com] . Note the degrees of the COO https://www.linkedin.com/in/ki... [linkedin.com] and the "Chief Health Informatics Officer" https://www.linkedin.com/in/pe... [linkedin.com]. There is no one on this 17 person leadership team that really represents IT.
        • I mean, OK, but how many non-tech businesses really give IT a seat at the table for big decisions? I see two MD's, one of which is the chief clinical officer (so, has to be an MD), the other of which is president.

          It's mostly run by nurses.
  • by networkzombie ( 921324 ) on Monday November 13, 2023 @05:58PM (#64003413)
    How will rules stop third party software, like MoveIT or SolarWinds, from being the attack vector? New rule: no third-party software? Hell, I bet it would take months just to audit the systems for third party software. Who knows what crap some underpaid IT guy installed on the systems to make them work. Old Winrar?
  • Apparently, personal security means nothing to them.
  • by The Cat ( 19816 )

    Put the government in charge of security, but don't hire any of the 3600 people who applied for the job.

    So basically there are 97 people with a crab cake between their index finger and thumb for every guy with hands on a keyboard or cable.

    Oh, I'm sorry. It's Christmas. The keyboard guy got fired.

Technology is dominated by those who manage what they do not understand.

Working...