NYSDOH Cybersecurity Incident Reporting for Healthcare Providers
Due to the ongoing COVID-19 global emergency and the upcoming Presidential election, security professionals are seeing more potential cyber threats right now than ever before.
Please review the attached NYSDOH Cyber Security Reporting Procedure, and share the reporting instructions with your staff designated to report incidents for your facility or agency.
An incident is considered a reportable “cybersecurity incident” under the New York State Department of Health guideline, if it affects patient care, or represents a serious threat to patient safety, including intrusions whose intent appears to be breach or theft of protected health records. Examples include, but are not limited to:
Successful intrusions into a health care provider’s information technology system (including those that are contracted out by the health care provider), network infrastructure, and/or medical equipment/devices.
Ransomware attacks that disable all or part of information technology operations including administrative systems such as payroll, billing, or appointment scheduling.
Cybersecurity incidents that have the potential to spread through established connections to other health care networks or government systems. Examples include file transfer systems or data reporting interfaces.