New Cybersecurity Protocol for New York State Healthcare Organizations

Newly implemented legislation, titled the SHIELD ACT, is broadening cybersecurity protocols for New York State (NYS) healthcare organizations. According to HealthData Management, medical providers who “own or license any computerized information” pertaining to state residents may need additional cybersecurity safeguards in order to meet the updated requirements. The new regulation, as quoted from HealthData Management, expands the definition of “private information” to include the following:

  • Social Security numbers, driver’s license numbers or non-driver identification card numbers;
  • account numbers, credit or debit card numbers, in combination with any required security code, access code or password or other information that would permit access to an individual’s financial account;
  • account numbers, credit or debit card numbers, if circumstances exist under which such numbers could be used to access an individual’s financial account without additional identifying information, security code, access code or password;
  • biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, other unique physical representation or digital representation of biometric data that are used to authenticate or ascertain the individual’s identity; and
  • a username or email address, in combination with a password or security question and answer that would permit access to an online account.

Additionally, HealthData Management says that, under the law, healthcare organizations subjected to a data breach must now adhere to these reporting requirements:

  • If a healthcare organization is impacted by a breach that requires notification to affected individuals under HIPAA, “It is sufficient to provide affected New York residents only the notice required under HIPAA, provided notice also is given to the State.”
  • Healthcare organizations affected by a breach that is “reportable to the Secretary of Health and Human Services (HHS) under HIPAA, regardless if it is a reportable breach of private information under the SHIELD Act, must report it to the Attorney General of New York within five days of the report to HHS.”
  • Lastly, the SHIELD Act requires healthcare organizations to implement “safeguards to protect the security, confidentiality and integrity of private information. This includes designated employees to coordinate the security program, identifying reasonably foreseeable internal and external risks, assessing the sufficiency of safeguards in place to control identified risks, training and managing employees of security program practices and procedures, selecting vendors capable of maintaining appropriate safeguards and adjusting the security program in light of business changes or new circumstances.”

Click here to view a complete version of the SHIELD Act.

MLMIC advises all NYS healthcare organizations to familiarize themselves with these changes to the law in New York State.