DOH Issues Cybersecurity Incident Notice Protocols
September 10, 2019
By: Craig W. Anderson, Tracy E. Miller, Raul A. Tabora, Jr.
The Office of Health Information Management of the New York State Department of Health (DOH) recently issued a Dear Administrator Letter (DAL) addressed to administrators as well as technology officers at all Article 28 and Article 36 entities. The letter, available here, explains that DOH is implementing a new protocol that should be used by providers to notify DOH of potential cyber security incidents. The DAL includes a specific poster that should be posted in each facility with contact information across New York State for submission of such security incidents. These protocols do not take the place of notification requirements mandated by HIPAA.
Self-reporting of security incidents under the new DAL would also be consistent with federal laws enacted in 2015 addressing such disclosures which help government agencies to obtain advance word of cyber threats. Under the U.S. Cybersecurity Act of 2015 (the Act), immunity may be available for entities who report information necessary to identify security vulnerabilities or other “cyber threat indicators.” The law also clarifies that there is no mandate for reporting created under the Act. It is also critical to note that security incidents are distinct from actual breaches under HIPAA or reporting of successful penetration into IT systems. Such incidents mostly include unsuccessful attempts which may be thwarted by your malware, firewalls or IT protection protocols. This is useful to state and federal agencies to track such attempts, warn others and monitor how security is addressing such attacks at the ground level.
DOH representatives have stated that they intend to issue additional guidance on required protocols in the form of a “Frequently Asked Questions” document. In the meantime, if you have questions regarding these or other reporting requirements, please contact Tracy E. Miller, Raul A. Tabora, any of the attorneys in our Health Care Practice, or the attorney in the firm with whom you are regularly in contact.