New York Imposes Stringent Cybersecurity and Cyber Incident Reporting Obligations on Hospitals

The New York Department of Health recently adopted cybersecurity regulations ("Regulations") for covered hospitals operating within the State of New York. These Regulations are similar to those that New York Governor Kathy Hochul originally proposed in November 2023, following several cyberattacks against hospitals that disrupted patient care and resulted in the theft of sensitive data.

The Regulations require hospitals to review and potentially strengthen their cybersecurity protocols with safeguards that exceed the security requirements of the Health Insurance Portability and Accountability Act ("HIPAA"). The Regulations are designed to ensure that "all hospitals develop, implement and maintain minimum cybersecurity standards." The type of data covered by the Regulations is significantly broader than HIPAA's Protected Health Information ("PHI") and includes non-public information ("NPI"). For example, NPI includes a hospital's confidential proprietary business-related information, which, if tampered with or subject to unauthorized disclosure, access, or use, would "cause a material adverse impact to the business, operations or security" of a hospital.

The Regulations apply to "general hospitals" as defined by Public Health Law § 2801 and require hospitals operating in New York to:  

• Establish a cybersecurity program, regularly assess internal and external cybersecurity risks, and establish a response and notification protocol in the event of a cybersecurity incident. 
• Appoint a senior staff member or executive with proper training and experience to serve as Chief Information Security Officer.
• Report "material cybersecurity incidents" to the NYDOH within 72 hours.
• Obtain authorization of the cybersecurity policy from the governing board.
• Provide the governing board with written reports on the Hospital's cybersecurity program and risk posture. 
• Use a qualified internal or third-party cybersecurity professional to manage cybersecurity protocols and risks.
• Use multifactor authentication to access internal networks from an external network.
• Conduct an annual risk assessment of potential risks and vulnerabilities to NPI.
• Define incident response plan requirements.
• Periodically review access privileges to information systems that provide access to NPI.
• Provide regular cybersecurity awareness training for all personnel.
• Create a six-year audit trail and records maintenance and retention program.

The law requires compliance with the new regulations by October 2, 2025, however, covered hospitals must comply with the 72-hour incident reporting notification obligations immediately.

At a federal level, Congress included U.S. health care systems as part of the critical infrastructure addressed in the recently introduced Health Infrastructure Security and Accountability Act, which aims to implement standardized cybersecurity requirements and practices on a national level. Hospitals should assess their cybersecurity posture and prepare an action plan for compliance to minimize regulatory risk.