Breaking down New York's hospital cybersecurity regulations

Exploring the provisions of the new NY hospital cybersecurity rules

The most notable provision within New York State's hospital cybersecurity rules is the 72-hour window for reporting material cybersecurity incidents to the state. According to the text of the regulations, a hospital must report any cybersecurity incident that falls into at least one of three categories:

• Has a material adverse impact on the normal operations of the hospital.
• Has a reasonable likelihood of materially harming any part of the normal operations of the hospital.
• Results in the deployment of ransomware within a material part of the hospital's information systems.

The proposed rule suggested a two-hour reporting timeframe, but following a public comment period, regulators settled on a 72-hour window for reporting a cybersecurity incident.

This tight timeframe varies greatly from reporting requirements under HIPAA, which New York State hospitals will still be required to comply with. Covered entities must report data breaches that affect 500 or more individuals to HHS within 60 days. This timeline has proved challenging in the past, resulting in enforcement actions.

However, the 72-hour reporting requirement in New York simply requires hospitals to inform the New York State Department of Health that there has been a cybersecurity incident so that the department can help set up emergency response and limit exposure to other entities. It does not require entities to confirm that a data breach occurred.

Even so, hospitals must have strong incident response plans in place to discover and notify authorities about cybersecurity incidents within 72 hours.

Additionally, the regulations require hospitals to retain documentation related to cybersecurity incidents for at least six years and provide it to the New York State Department of Health if requested.

While the notification requirements are already in effect, New York hospitals have one additional year to comply with the rest of the rules. Organizations with strong cybersecurity programs might have implemented some of these requirements already but should review the New York State law to ensure compliance.

The rule includes several other provisions that hospitals will have to comply with in October 2025:

• Develop and implement a cybersecurity program designed to identify internal and external cybersecurity risks.
• Implement security controls to mitigate the risk of email-based threats.
• Appoint a senior or executive-level staff member to serve as the CISO. Hospitals are permitted to outsource the role of the CISO to a third-party contractor.
• Use MFA, risk-based authentication or another control to protect nonpublic information from unauthorized access.
• Adopt a written incident response plan that enables the hospital to respond and recover from material cybersecurity incidents.
• Develop policies for the disposal of nonpublic information that is no longer necessary for operations.
• Conduct an annual risk assessment and develop monitoring and testing protocols, including penetration testing, in accordance with the risk assessment.
• Maintain audit trails.
• Develop security policies for third-party service providers.
• Use qualified cybersecurity personnel to manage the hospital's cybersecurity risks and oversee the hospital's cybersecurity performance.

The New York State Department of Health said that it conducted several rounds of outreach to healthcare organizations to get feedback on the proposed rules.

"As a result of those discussions, the Department took significant steps to ensure that no specific references to technology, programs or software were included into the regulations," the rule's text states. "In this way, it allows for facilities to become compliant with the regulations however they may be able to, without the regulation becoming too prescriptive, or requiring use of overly expensive or specific software. These regulations establish truly baseline, general requirements that allow maximum flexibility to healthcare facilities to comply based on their operations."

While hospitals will have to cover some of the implementation costs for these rules, New York State approved more than $500 million in funding to support investments in cybersecurity within healthcare facilities.

As previously mentioned, the rules only apply to general hospitals -- nursing homes, diagnostic centers and other types of healthcare organizations are not required to comply.

What do the NY regulations mean for the sector as a whole?

Although the above regulations only apply to hospitals in New York, hospitals in other states can measure their own security programs against the best practices contained in these rules to prepare for future regulations that could arise in their own states and at the federal level.

Essentially, these rules establish a baseline for cybersecurity that all general hospitals in the state of New York must achieve to prevent and respond to cyberattacks effectively.

The regulations were created following several cyberattacks against hospitals and are in line with federal proposals advocating for minimum cybersecurity standards across the healthcare sector in an age of increased cyber threats.

For example, HHS released sector-specific cybersecurity performance goals (CPGs) in January 2024. Although adherence to the CPGs is voluntary, HHS said at the time that they would be the basis of new enforceable cybersecurity standards.

The New York regulations are an example of state regulators taking healthcare cybersecurity into their own hands in advance of federal efforts.

"I think they were sort of forecasting that the federal movement to come up with a set of regulations was moving somewhat slowly," said George Pappas, CEO of Intraprise Health. "The work has been in process for a couple of years now. They more or less said, look, we know there's a federal movement afoot, but we need to do something now because, candidly, this affects patient safety and well-being. And so, they laid down the marker."

Pappas noted that the requirements share similarities with the CPGs and the Health Industry Cybersecurity Practices (HICP) publications, both of which offer prescriptive security measures that organizations can adopt to improve their cybersecurity posture.

"It's really about getting more intentional with how they are managing all these risks," Pappas said.

While HIPAA requires covered entities to maintain an incident response plan and employ strong security controls, it is intentionally not prescriptive and has not seen a major update since 2013. New York's regulations work alongside HIPAA, rather than conflicting with it.

"On HIPAA, I don't see an overlap," Pappas said. "It is complementary, and it is one state's version of a blueprint for how to get security to a better place."

Pappas recommended that all healthcare organizations, regardless of whether they are subject to New York State's new regulations, practice incident response plans and work to improve their security programs to mitigate risk and prepare for any future cybersecurity standards that could be enshrined into law.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.