New York State’s Hospital Cybersecurity Regulations: A Comprehensive Overview

On October 2, 2024, the New York State Department of Health (NYSDOH) took a significant step in bolstering the cybersecurity framework for general hospitals across the state. The newly adopted regulations mandate that hospitals establish robust cybersecurity programs tailored to their specific risk assessments. This initiative is part of Governor Kathy Hochul’s broader New York State Cybersecurity Strategy, aimed at enhancing the security of sensitive health information and ensuring the resilience of healthcare operations against cyber threats.

New Cybersecurity Program Requirements for General Hospitals

The newly adopted regulations outline several critical requirements that general hospitals must implement to safeguard their operations and patient data. These include:

1. Establishment of a Cybersecurity Program: Hospitals are required to develop a comprehensive cybersecurity program grounded in a thorough risk assessment. This program should encompass policies and procedures that address potential vulnerabilities and outline strategies for mitigating risks.

2. Record Maintenance: Hospitals must maintain detailed records of their cybersecurity systems, including audit trails that document the detection and response to cybersecurity events. This requirement ensures that hospitals can track incidents and demonstrate compliance with regulatory standards.

3. Designation of a Chief Information Security Officer (CISO): To enforce the new cybersecurity policies, hospitals must appoint a CISO. This individual will be responsible for overseeing the implementation of the cybersecurity program and ensuring adherence to the established protocols.

4. Incident Notification: In a bid to enhance transparency and responsiveness, hospitals are mandated to notify the NYSDOH within 72 hours of discovering any cybersecurity incident. This requirement is crucial for enabling timely interventions and mitigating potential harm.

5. Risk-Based Authentication: To protect against unauthorized access to nonpublic information and information systems, hospitals must implement risk-based authentication or multi-factor authentication (MFA) controls. These measures are essential for safeguarding sensitive data from cyber threats.

Changes to Cybersecurity Incident Reporting Timeframe

One of the most notable aspects of the adopted regulations is the immediate implementation of the 72-hour notification requirement for cybersecurity incidents. While hospitals have until October 2, 2025, to comply with most other provisions, this reporting mandate is effective immediately.

The definition of a "cybersecurity incident" encompasses events that:

• Have a material adverse impact on the hospital’s normal operations.
• Are likely to materially harm any aspect of the hospital’s operations.
• Result in the deployment of ransomware affecting a significant portion of the hospital’s information systems.

This broader definition underscores the importance of rapid reporting and response to potential threats, ensuring that hospitals can take swift action to protect their operations and patient data.

Additional Guidance and Clarifications

In response to public comments, the NYSDOH clarified that the regulations specifically apply to general hospitals and do not extend to managed care organizations. Furthermore, the definition of "nonpublic information" has been revised to include not only sensitive business-related information but also protected health information (PHI) and personally identifiable information (PII) as defined by the Health Insurance Portability and Accountability Act (HIPAA). This expansion means that hospitals must design their cybersecurity programs to protect a wider array of information than what HIPAA mandates.

Additionally, the regulations have refined the definition of "multi-factor authentication" to align more closely with industry standards. The NYSDOH has indicated that it will provide further guidance to help hospitals map the new requirements to established standards from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).

Conclusion

The adoption of these cybersecurity regulations by the NYSDOH marks a pivotal moment in the ongoing effort to protect healthcare institutions from the growing threat of cyberattacks. By establishing clear requirements for cybersecurity programs, incident reporting, and data protection, New York is taking proactive measures to ensure the safety and integrity of its healthcare system. As hospitals work towards compliance, the emphasis on robust cybersecurity practices will not only enhance their resilience but also foster greater trust among patients and stakeholders in the healthcare sector.

For more information on the content of this alert, please contact your Nixon Peabody attorney or the authors of this alert.