- October 15, 2024
- Alerts
New York Hospital Cybersecurity Regulations Announced
On October 12, 2024, the New York State Department of Health (“DOH”) published the final cybersecurity regulations for general hospitals (the “Regulations”), with some provisions effective immediately. A copy of the Regulations can be found here.
Who has to comply?
These Regulations apply only to “general hospitals” as defined by the Public Health Law (i.e., these regulations do not apply to nursing homes, D&T Centers, or other Article 28 facilities that do not have an emergency room).
When is compliance required?
In general, compliance is required by October 2, 2025. However, the reporting requirements go into effect immediately. Starting immediately, hospitals must report cybersecurity incidents to the DOH within 72 hours.
A cybersecurity incident is an unauthorized event that:
What do hospitals need to worry about?
Many of the requirements in the Regulations mirror the requirements of the HIPAA Security Rule, but there are a few additional issues to keep in mind. Here are some of the most significant highlights:
What do hospitals need to do?
There are a number of steps that hospitals will need to take in order to ensure that existing HIPAA compliance and cybersecurity programs meet the requirements of these Regulations. At the very least, hospitals need to consider completing the following steps:
Should you have any questions regarding compliance with the Regulations and new requirements, please contact the authors, the Garfunkel Wild attorney with whom you regularly work, or email us at info@garfunkelwild.com.
Who has to comply?
These Regulations apply only to “general hospitals” as defined by the Public Health Law (i.e., these regulations do not apply to nursing homes, D&T Centers, or other Article 28 facilities that do not have an emergency room).
When is compliance required?
In general, compliance is required by October 2, 2025. However, the reporting requirements go into effect immediately. Starting immediately, hospitals must report cybersecurity incidents to the DOH within 72 hours.
A cybersecurity incident is an unauthorized event that:
- has a material adverse impact on the normal operations of the hospital;
- has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or
- results in the deployment of ransomware within a material part of the hospital's information systems.
What do hospitals need to worry about?
Many of the requirements in the Regulations mirror the requirements of the HIPAA Security Rule, but there are a few additional issues to keep in mind. Here are some of the most significant highlights:
- Nonpublic Information. The Regulations apply to “nonpublic information,” which includes protected health information (“PHI”), as well as the hospital’s confidential business-related information or any information that can be used to identify a natural person.
- CISO. There must be a senior or executive-level staff member with proper training, experience and expertise to serve as the Chief Information Security Officer (“CISO”).
- Cybersecurity Program/Policies. Hospitals must implement a cybersecurity program and policies that address specifically enumerated topics. Some of those topics might not be currently addressed in existing policies (e.g., vendor and third-party service provider management, systems and application development, data governance, and classification).
- Governing Board Approvals. The governing board must approve the hospital’s cybersecurity policy, as well as receive annual written reports on the cybersecurity program and material cybersecurity risks.
- Third-Party Service Providers. Hospitals must implement policies to address third-party service providers, including minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the hospital.
- Multi-Factor Authentication. A hospital must have appropriate authentication controls (e.g., multi-factor authentication) to protect against unauthorized access to IT systems.
- Annual Penetration Testing. There must be appropriate testing of the cybersecurity program and monitoring of the IT Systems. This includes, among other things, annual penetration testing.
What do hospitals need to do?
There are a number of steps that hospitals will need to take in order to ensure that existing HIPAA compliance and cybersecurity programs meet the requirements of these Regulations. At the very least, hospitals need to consider completing the following steps:
- Immediately implement mechanisms to report cybersecurity incidents to the DOH;
- Ensure that the hospital has a CISO that has the mandated qualifications;
- Expand the hospital’s existing HIPAA security compliance program and policies to address all requirements specified in the Regulations (e.g., implement multi-factor authentication and annual penetration testing);
- Ensure that the expanded cybersecurity program and policies encompass all nonpublic information, not just PHI;
- Determine minimum cybersecurity requirements for third-party service providers and consider amending business associate agreements to address these requirements; and
- Educate the hospital’s governing board.
Should you have any questions regarding compliance with the Regulations and new requirements, please contact the authors, the Garfunkel Wild attorney with whom you regularly work, or email us at info@garfunkelwild.com.