New Cybersecurity Regulation for New York Hospitals: What You Need to Know

On October 2, 2024, the New York State Department of Health (DOH) unveiled a significant new cybersecurity regulation, 10 NYCRR 405.46, aimed at enhancing the security posture of general hospitals licensed under Article 28 of the Public Health Law. This regulation is a response to the increasing threat of cyberattacks in the healthcare sector, which has seen a surge in incidents that compromise sensitive patient data and disrupt hospital operations. While most provisions of the regulation will take effect on October 2, 2025, the requirement for hospitals to notify the DOH of a cybersecurity incident within 72 hours is already in effect.

Understanding Cybersecurity Incidents

The regulation defines a "Cybersecurity incident" as a cybersecurity event that meets specific criteria: it either has a material adverse impact on the hospital’s operations, poses a reasonable likelihood of such harm, or results in the deployment of ransomware within a significant portion of the hospital’s information systems. This definition aligns with the broader understanding of cybersecurity threats, similar to those outlined in the Health Insurance Portability and Accountability Act (HIPAA) and the New York Department of Financial Services (NYDFS) cybersecurity regulation.

It’s important to note that while unsuccessful attempts to gain unauthorized access are classified as cybersecurity events, only those that qualify as incidents require reporting. Hospitals must remain vigilant, as the new regulation does not exempt them from existing notification obligations under other state or federal laws, including HIPAA.

Key Provisions of the Regulation

Chief Information Security Officer (CISO)

One of the cornerstone requirements of the new regulation is the designation of a Chief Information Security Officer (CISO) for each covered hospital. The CISO must possess adequate experience and training to oversee the hospital’s cybersecurity program. This individual is responsible for issuing an annual report to the hospital’s governing body, detailing the cybersecurity program’s effectiveness and any material risks. This requirement mirrors similar mandates found in HIPAA and NYDFS regulations, emphasizing the importance of accountability at the highest levels of hospital management.

Cybersecurity Program Requirements

The regulation mandates that hospitals develop a comprehensive cybersecurity program tailored to their specific risks. This program must protect non-public information (NPI), which encompasses Personally Identifiable Information (PII), Protected Health Information (PHI), and business-related information. Hospitals must employ qualified cybersecurity personnel or third-party service providers to manage their cybersecurity efforts, ensuring that robust policies are in place to safeguard NPI accessed by these external entities.

Identity and Access Management

To bolster security, the regulation requires hospitals to implement identity and access management procedures, including multi-factor authentication (MFA) for external network access. This measure is crucial in preventing unauthorized access to sensitive information systems. Additionally, hospitals must adhere to the principle of least privilege, limiting user access to only what is necessary for their roles.

Vulnerability Assessments and Testing

Covered hospitals are also required to conduct regular vulnerability assessments and testing, including annual penetration testing and automated vulnerability scanning. These measures are designed to identify and mitigate potential weaknesses in the hospital’s cybersecurity defenses, ensuring that they remain resilient against evolving threats.

Record Retention and Data Disposal

The regulation imposes record retention requirements, mandating that hospitals retain records related to system design, security, and audit trails for at least six years. Furthermore, hospitals must establish policies for the secure disposal of non-public information that is no longer necessary for business operations, addressing a growing concern about data over-retention.

Incident Response Planning

Finally, the regulation requires hospitals to maintain a written incident response plan that outlines procedures for addressing cybersecurity incidents. This plan must include specific sections that align with the requirements set forth by the NYDFS, ensuring that hospitals are prepared to respond effectively to any breaches.

Preparing for Compliance

As the October 2025 deadline approaches, covered hospitals must begin to familiarize themselves with the new regulation and formulate a compliance strategy. This includes assessing existing cybersecurity measures, allocating appropriate resources, and ensuring that all staff are trained on the new requirements.

Hospitals utilizing third-party service providers should review their contractual agreements to ensure compliance with the new regulation, particularly regarding data protection and incident reporting obligations. Additionally, incident response plans should be updated to incorporate the new 72-hour notification requirement to the NYDOH.

Conclusion

The introduction of 10 NYCRR 405.46 marks a significant step forward in strengthening the cybersecurity framework for New York hospitals. By establishing clear requirements and accountability measures, the regulation aims to protect sensitive patient information and ensure the continuity of hospital operations in the face of increasing cyber threats. As hospitals prepare for compliance, proactive measures will be essential in safeguarding their systems and maintaining the trust of the communities they serve.