Change Healthcare Hack: Everything You Need To Know
Change Healthcare experienced a ransomware attack with unprecedented fallout. What happened, and what have we learned?
![[LOGO] Corvus Insurance](https://www.corvusinsurance.com/hubfs/Corvus_Logo_Horizontal(R)%20(4).svg "[LOGO] Corvus Insurance"){kind=logo}
On November 1st, 2023, the New York Department of Financial Services (“NYDFS”) published its second amendment to the cybersecurity regulation 23 NYCRR 500. This amendment reflects New York’s approach to mitigating cybersecurity risks for financial institutions that it supervises.
Whether you or your clients need to comply with this regulation, or are looking to see what controls regulators are requiring, it is important to:
-
Review the requirements with your security and compliance teams
-
Perform an internal gap assessment
-
Ensure that your organization has the controls or remediation plans in place to comply
Here is a breakdown of the key changes:
Definitions
New York has added new terms and definitions in an attempt to provide further clarity on compliance.
|
Term |
Definition |
Class A Companies |
A new classification of organizations that have at least $20 million in gross annual revenue in each of the last two fiscal years in New York and either
|
Privileged Account |
Authorized user or service accounts that can be used to perform security-related functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change, or remove other accounts, or make configuration changes to information systems. |
Senior governing body |
The board of directors (or an appropriate committee thereof) or equivalent governing body. If neither exists, then the senior officer or officers responsible for the organization’s cybersecurity program. |
Policies and Procedures
The amendment adds requirements around the organization’s policies and procedures, emphasizing the importance of these as the foundation of a cybersecurity program. This may require an additional time investment and resources to stay compliant.
|
Section |
Change |
500.3 - Cybersecurity Policy |
Procedures developed, documented, and implemented in accordance with the controls covered in the policies. This includes the addition of data retention, end of life management, vulnerability management, and more. |
500.15 - Encryption of Nonpublic Information |
Implement a written policy requiring encryption that meets industry standards, to protect nonpublic information held or transmitted by the organization both in transit and at rest. |
500.16 - Incident response and business continuity management |
Establishing written incident response, business continuity and disaster recovery plans, with specific requirements for each. |
Cybersecurity Controls
New controls have been introduced while existing ones have been updated to align with the evolving cybersecurity landscape. This means not only more resources and time spent on implementing these new or modified controls but also potentially additional tooling to meet compliance.
|
Section |
Change |
500.5 - Vulnerability Management |
Modified current requirement to: Conduct at minimum:
|
500.7 - Access privileges and management |
Modified current requirement to: Implement access management controls to adhere to the principle of least privilege, including:
|
500.13 - Asset management and data retention requirements. |
New requirement: Produce, maintain and update an asset inventory and track key information for each asset, including owner, location, classification/sensitivity, expiration dates, and recovery time objectives. |
Class A Companies
Additional requirements for Class A companies, as defined above in the definitions section, highlights the heightened cybersecurity expectations for larger entities. These come from the potential widespread impact of incidents, the inherent challenges posed by the complexity and scale of their operations, and the public expectations for robust cybersecurity measures to safeguard sensitive data and maintain trust. Depending on your current environment, this could result in more investments in time, resources, tooling, and bringing on an auditing firm to meet the independent audit requirement.
|
Section |
Change |
500.2 - Cybersecurity program |
Design and conduct an independent audit of their cybersecurity program based on its risk assessment. |
500.7 - Access privileges and management |
Implement a privileged access management solution and an automated way of blocking commonly used passwords for all accounts on systems owned or controlled by the organization and wherever feasible for all other accounts. |
500.14 - Monitoring and training |
Implement an endpoint detection and response solution and a solution that centralizes logging and security event alerting. |
Administrative Items
New York also included updates aimed to support accountability and transparency in managing cybersecurity risks. Both are important in fostering a culture of responsibility, informed decision-making, and building trust with stakeholders. This results in additional reporting requirements which will require more collaboration between security, legal, and executive leadership teams for both cyber security incidents and compliance attestations.
|
Section |
Change |
500.17 - Notices to Superintendent |
Report a cybersecurity incident within 72 hours has been updated to when a cybersecurity event occurs at the organization, its affiliates, or a third-party service provider that:
|
500.17 - Notices to Superintendent |
Written acknowledgement for any portions of the regulation that the organization does not materially comply with, including documented remediation timelines and plans, signed by both the CISO and the highest-ranking executive (i.e., CEO). |
500.17 - Notices to Superintendent |
|
Timeline
The amendment includes a transitional period for organizations to comply with the various changes. Below is a compliance timeline to support your journey.
![[TIMELINE] 23 NYCRR 500 - Second Amendment Compliance Timeline](https://www.corvusinsurance.com/hs-fs/hubfs/Screenshot%202023-11-02%20at%201.20.07%20PM.png?width=1944&height=1092&name=Screenshot%202023-11-02%20at%201.20.07%20PM.png)
Next steps
The outlined changes represent a portion identified in the amendment. Conducting an internal gap assessment against the amendment is a prudent first step to understand what gaps exist in your current cybersecurity program and where additional support is needed.
Yes, this is a lot! But Corvus has created a NYDFS toolkit that includes a gap assessment template to guide organizations through their internal assessment process. We have also secured a free consultation with a leading law firm to help your organization (or your clients) start to navigate the changes. If you are a Corvus policyholder or broker partner, email us and request the toolkit or consultation. We encourage all organizations to stay updated on future potential changes to the regulation by signing up on the NYDFS’ website for email updates on the amendment.
This blog is intended for general guidance and informational purposes only. This blog is under no circumstances intended to be used or considered as specific legal, insurance, or information security advice. This blog is not to be considered an objective or independent explanation of the matters contained herein.