In addition to the requirements set forth by HIPAA, we are seeing more and more states enforce their own additional security measures for Covered Entities. Recently, the state of New York added new cybersecurity requirements for Covered Entities. Most notably, multi-factor authentication is now required. Additionally, the rules for notifying the authorities about potential New York cybersecurity incidents are more stringent.
New York Cybersecurity: Multi-factor Authentication
Multi-factor authentication, sometimes called two-factor authentication or 2FA, is a more secure method of logging in to systems or accounts. Instead of simply entering a password, users are required to take one or more additional steps to verify their identity. Whether you realize it or not, you have likely used multi-factor authentication before.
Have you ever logged into an account and then had to enter a code sent to your mobile device? Have you ever had to use a password and some biometric form of identification, like a fingerprint? ATMs require you to enter a PIN after inserting your debit card to access your bank account. These are all examples of two-factor authentication.
Multi-factor authentication has become the new bare minimum. If your company requires a more stringent login method, you are free to keep that. However, if you are simply asking users to enter one password before they can access sensitive information, such as PHI (Protected Health Information), you will need to increase your security controls.
New York Cybersecurity: Notice of a Cybersecurity Incident
New York State defines a cybersecurity incident as any potential compromise of PHI, and specifically, one of these two things:
- Event(s) that impact the covered entity that would require them to provide notice to the government, a self-regulatory agency, or any other supervising entity under the existing state and federal laws (like HIPAA) for a breach of PHI.
- Event(s) that could likely harm the normal operations of the covered entity. New York Cybersecurity laws do not specify exact scenarios. One example is a loss of data through ransomware or phishing attacks.
In the event of a cybersecurity incident, Covered Entities must notify the Superintendent of Financial Services as soon as possible. Covered Entities must notify no later than 72 hours (3 days) from the determination that a cybersecurity event occurred.
New York based Covered Entities are required to submit a written statement listing all cybersecurity incidents to the Superintendent by February 15. This list, referred to as the “Appendix” in the New York State document, must include all potentially damaging cybersecurity incidents. Take notice, this deadline is about two weeks earlier than the deadline for reporting small breaches to HHS. As required by HIPAA, this is 60 days after the start of each calendar year.
This is required in order for your organization to be considered compliant. If you report your small breaches and cybersecurity incidents the way HIPAA and state laws mandate, you will not be penalized. Additionally, you must retain these records of small incidents for 5 years in case the New York Department of Financial Services or Superintendent requests to see them at a later date.
After a cybersecurity incident, Covered Entities must identify the areas, systems, or processes responsible for the data compromise and determine the best ways to improve them.
New York Cybersecurity: Exemptions from New Regulations
The following groups are exempt from these new requirements:
- Covered Entities with fewer than 10 employees, including independent contractors and Business Associates located in New York, or
- CEs that earned less than $5,000,000 in gross annual revenue in the last three fiscal years
- CEs with less than $10,000,000 in year-end total assets
- Any employee, agent, or representative of a covered entity who is also a covered entity themselves,
- This person would not need to develop their own cybersecurity program. The larger covered entity’s cybersecurity program includes them.
- Any covered entity that does not directly or indirectly control, operate, or maintain information systems containing sensitive personal information like PHI or PII (Personally Identifiable Information).
Under updated New York cybersecurity laws, Covered Entities that qualify for exemption must file a Notice of Exemption within 30 days of realizing they are exempt. If a covered entity no longer qualifies for exemption, they have 180 days from the end of the fiscal year (in which they ceased to qualify) to comply with all requirements that now apply to their organization.
However, even if you are exempt, we strongly recommend adopting these security practices. Using multi-factor authentication and identifying the source of potential security compromises benefits all companies. All Covered Entities, Business Associates, and Business Associate Subcontractors must comply with HIPAA. Exemption from New York cybersecurity laws, or any state specific regulations, does not limit or change HIPAA requirements.
Source: New York Cybersecurity Requirements for Financial Service Companies, a section of New York State Department of Financial Services 23 NYCRR 500