Advancing Beyond Regulatory Standards
Lares' Perspective on New York's Hospital Cybersecurity Regulation
Does Compliance Stop Hackers?
New York’s Section 405.46 hospital cybersecurity regulation is a landmark step toward safeguarding patient data and maintaining operational continuity. By requiring measures such as appointing a CISO, conducting annual risk assessments, and implementing Multi-Factor Authentication (MFA), this regulation provides a crucial baseline for healthcare cybersecurity. But at Lares, we believe that compliance is not the finish line—it’s the starting point.
The New Regulation: A Baseline, Not a Finish Line
Section 405.46 mandates foundational cybersecurity measures, including:
- Appointing a Chief Information Security Officer (CISO): Strategic cybersecurity oversight.
- Annual risk assessments: Identifying vulnerabilities and prioritizing mitigation.
- Multi-Factor Authentication (MFA): Protecting external-facing systems.
- Staff training: Equipping employees to recognize and respond to threats.
- Penetration testing: Identifying and addressing security weaknesses.
- Real-time threat monitoring: Detecting and responding to network threats.
While these are essential, they won’t stop today’s sophisticated attackers. Hospitals must adopt a proactive, comprehensive security strategy that evolves with the threat landscape.
Defending Against Evolving MFA Threats
- Simulating MFA attack vectors: Through penetration testing, we replicate real-world attack scenarios, including phishing and vishing campaigns.
- Optimizing configurations: Ensuring MFA policies are secure and minimize risk.
- Enhancing awareness: Training employees to identify fake push notifications and phishing attempts.
Learn more about bypassing MFA with push fatigue and Lares' approach in our blog post.
Comprehensive Attack Surface Management
With the growing adoption of cloud platforms, IoT devices, and third-party applications, the attack surface for hospitals continues to expand. Lares provides a holistic approach to managing these risks through:
- Penetration Testing: Simulating real-world attacks to measure the effectiveness of defenses.
- Purple Teaming: Collaborating with internal teams to refine threat detection and response.
- vCISO Services: Offering strategic oversight and alignment with compliance frameworks.
- Attack Surface Management: Mapping and securing shadow IT assets.
Why Compliance Alone Isn’t Enough
At Lares, we don’t believe in one-size-fits-all solutions. Our consultants craft tailored strategies to meet your organization’s unique challenges. From MFA hardening to iterative Purple Team engagements, we help hospitals strengthen their defenses while maintaining operational continuity.
"Cybersecurity in hospitals is more than just protecting data; it’s about safeguarding patient trust, ensuring uninterrupted care, and defending critical operations against always-evolving threats. Regulations like New York's Section 405.46 are essential because they set clear, actionable standards that help hospitals build resilience and stay ahead of any potential risks."
Darryl MacLeod - vCISO and Principal Advisor
Empowering Organizations to Maximize Their Security Potential.
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.
16+ Years
In business
600+
Customers worldwide
4,500+
Engagements