In the event of a data breach, healthcare providers in New York should ensure they're familiar with a new, recently implemented protocol for notifying the state's Department of Health.

In a letter, (.PDF) Mahesh Nattanmai, the Chief Health Information Officer for New York's Office of Health Information Management, directed administrators and technology officers in the state last week to follow a new procedure that involves notifying each facility's regional Department of Health office.

The letter breaks down local phone numbers that facilities, wherever they're based - from Schenectady to Queens - should contact in the event of an incident. For the sake of clarification, the department reiterates that a cybersecurity incident is “any attempted or successful unauthorized access, use, disclosure, modification, or destruction of data or interference with an information system operations."

Nattanmai points out in his letter that it's likely the Department of Health will be one of many agencies a healthcare organization calls in the event of a potential cybersecurity incident - the FBI and local law enforcement are surely on a shortlist - but Nattanmai says he hopes hospitals and other facilities realize the value of the DOH in scenarios like this.

“The Department, in collaboration with partner agencies, has been able to provide significant assistance to providers in recent cybersecurity events. Our timely awareness of this type of event enhances our ability to help mitigate the impact of the event and protect our healthcare system and the public health. The Department has designed a more efficient process to engage assistance for providers, as needed,” Nattanmai wrote.

The new protocol is effective immediately and applicable to any hospital, nursing home, diagnostic and treatment center, adult care facility, home health agency, hospice, or licensed home car service agency in the state of New York.

The letter doesn’t give any guidance around how soon after a potential incident an administrator should contact the Department of Health.

When it comes to notifying affected New York residents, it doesn't appear this change should affect facilities already compliant with the Health Insurance Portability and Accountability Act, which under recently passed New York SHIELD Act, are exempt from notification requirements following a data breach.

Organizations that already comply with data breach notice requirements under regulatory laws like HIPAA and NYCR 500 still need to inform agencies like the New York attorney general, the New York State Department of State Division of Consumer Protection, and the New York State Division of the State Police.

To recap, The SHIELD Act, passed in July, broadened the definition of information under new York’s data breach notification law to include Social Security numbers, driver's license information, credit and debit card numbers, and even biometric information but not healthcare data. While The SHIELD Act added security requirements for covered entities, it assumes organizations already in compliance with data protection laws.

Nattanmai is encouraging facilities in the state to continue to follow typical best practices following a breach, like reporting events under the New York Patient Occurrence Reporting and Tracking System, a reporting system that hospitals and diagnostic and treatment centers are bound to under New York Code.

According to a study released this summer the cost of a healthcare data breach continues to increase. In 2019, breaches cost organizations $6.45 million on average and $429 per each breached record, an uptick of 5.15 percent over last year.