NY State EP Alert 7.2.2025|Security Briefing
HCP attended a New York State Health Care Security Briefing today, July 2, 2025, where the Department of Health (DOH/the Department), a representative from the State Police, and other state security officials explained the heightened security risks in the health care sector due to the Israel/Iran conflict.
In today’s briefing, State Police highlighted their ongoing efforts to increase their visibility, especially in transportation hubs. State Police stressed that there is no active threat, but that resources are being mobilized out of an abundance of caution. HCP urges providers to share this information with their workers, in order to assuage fears of an imminent threat when they see the police presence in subways, bus terminals, and on streets.
As reported in an HCP Emergency Management Alert last week, DOH notified health care providers about the climate of increased risk of cyberattacks and high threat activity against the critical infrastructure of the United States. HCP extends this awareness to our non-provider members as well. In addition to the systems guidance below, DOH suggests organizations tighten physical security against breaches.
Cybersecurity
HCP joins the Department in urging home care providers to remain on high alert and monitor technology systems with increased vigor. Use multi-factor authentication (MFA) for access, and monitor systems for login attempts, especially for any Virtual Private Networks (VPN) you utilize. Remind employees not to click any links from unsolicited emails without first verifying with your cybersecurity team.
Review your emergency management plan for cyber-related hazards to better respond to and report any cybersecurity incidents or threats. Ensure organization-wide awareness of these threats as well as staff understanding of your agency’s response plan generally, and cybersecurity incident response plan specifically.
Cybersecurity attack techniques include but are not limited to distributed denial of service (DDoS), ransomware, and website defacement. Be sure all departments have appropriate backups of data and critical operating systems. Secure your systems against attacks by eliminating connections to public internet, securing remote access to your networks, and changing default passwords to strong, unique ones.
Reporting
Today, Health Commissioner McDonald reminded all health care providers of their responsibility to report any suspicious activity, including both cyber and physical threats. He noted that the Department of Health has broader communication capabilities and the ability to quickly disseminate information to a wider audience to raise awareness across the health care system.
See Dear Administrator Letter (DAL) HCBS 24-07 for instructions regarding home care agencies’ requirement to report any cybersecurity incident that is “likely to have a material adverse impact on operations or results in the deployment of ransomware within a material part of the facility’s or provider’s information systems.”
The report must be made to DOH “as soon as practicable” by calling the Surge Operations Center at (917) 909-2676. The Center will forward your contact information and current incident status to the appropriate department for further action.