New York Hospital Cybersecurity Reporting Rules Take Effect

On October 2, 2024, the New York State Department published a notice of its adoption of the previously proposed hospital cybersecurity regulations. The adopted regulations are found in the new Section 405.46 of Title 10 of the New York State Codes, Rules, and Regulations. Compliance with most provisions of the rule will be required by October 2, 2025.

Effective immediately, general hospitals in New York must report cyber incidents to the state’s Department of Health within 72 hours of their discovery. A hospital’s submission to the department must include all documentation, such as records, schedules, reports, and data. If a hospital identifies systems or processes that need improvement following an attack, it must document its remediation plans which must be available for inspection by the state’s department. All the documentation must be maintained for at least six years.

The New York hospital cybersecurity reporting rules do not replace any other notifications required under state or federal laws or regulations.

What is Considered a “General Hospital”

New York statute defines a “General Hospital” as a hospital engaged in providing medical and surgical services primarily to in-patients by or under the supervision of a physician on a 24-hour basis with provisions for admission or treatment of persons in need of emergency care and with an organized medical staff and nursing service, including facilities providing services relating to particular diseases, injuries, conditions or deformities. Residential healthcare facilities, public health centers, diagnostic centers, treatment centers, outpatient lodges, dispensaries, and laboratories are not subject to these regulations.

Future New York Hospital Cybersecurity Reporting Rules

New York also enacted a long list of other cybersecurity regulations that go into effect in October 2025 that will require hospitals to:

  • Establish a program to identify and assess internal and external cybersecurity threats, and detect, respond to, and recover from cybersecurity events. Other requirements of the cybersecurity program include:
    • Policies and protocols to limit user access privileges to information systems that provide access to nonpublic information.
    • Written procedures, guidelines, and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the hospital, and procedures for evaluating, assessing, and testing the security of externally developed applications utilized by the hospital.
    • Procedures to securely dispose of nonpublic information that is no longer needed for business operations.
    • Policies and procedures to protect data in transit and at rest.
    • Implement policies to defend against phishing and spoofing.
  • Develop cybersecurity policies based on its risk assessment.
  • The hospital’s governing body must approve the cybersecurity policy.
  • Hospitals must designate a qualified Chief Information Security Officer (CISO). The CISO can be a hospital employee or work for a vendor.
  • Perform annual penetration testing.
  • Maintain system design, security, and maintenance records.
  • Maintain systems to include audit trails that detect and respond to cybersecurity events.
  • Conduct a risk assessment to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of nonpublic information. Assessments must be performed at least once a year.
  • Hire qualified cybersecurity professionals are use a qualified third party.
  • Implement written policies and procedures to secure information systems and nonpublic information that is accessible to, or held by, third-party service providers.
  • Use multi-factor authentication, risk-based authentication, or other compensating controls to protect against unauthorized access.
  • Limit user access privileges to nonpublic information.
  • Monitor the activity of authorized users to detect unauthorized access, use, or tampering with nonpublic information by such authorized users.
  • Provide regular cybersecurity awareness training.
  • Establish a written incident response plan.

CompliancePoint’s healthcare and cybersecurity professionals are committed to helping organizations develop and implement security and data privacy programs that comply with HIPAA and other applicable regulations. Contact us at connect@compliancepoint.com to learn more about our services.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.