Cyberattacks targeting healthcare organizations have been on the rise, and New York State is stepping up its defenses. As of October 2, 2024, new cybersecurity regulations are in effect for general hospitals in the state, marking a significant step forward in protecting sensitive patient data and ensuring the operational resilience of healthcare facilities. These new rules introduce a range of requirements that go beyond federal HIPAA regulations, demanding more stringent protections for patient data and a broader definition of sensitive information. With a compliance deadline set for October 2025, hospitals have one year to prepare, but they must immediately comply with the incident reporting requirements.
In this blog, we’ll break down the most important aspects of these new regulations, explain who they apply to, and why this move is a positive step for the healthcare sector.
Who’s Affected and Why This Matters
The new cybersecurity regulations in New York apply specifically to general hospitals, which are defined as facilities providing 24-hour inpatient medical and surgical services under a physician’s supervision. This affects approximately 195 hospitals licensed under Article 28 of the Public Health Law. These hospitals are now required to implement stricter security measures that go beyond the HIPAA Security and Breach Notification Rules, introducing more comprehensive protections for sensitive data.
Recognizing the financial burden that these new requirements may place on healthcare organizations, New York State has approved $500 million in funding to help hospitals meet these standards. “A statewide grant application was released earlier this year. Applications submitted are currently under review for consideration of funding,” a NYS health department spokeswoman said.
Despite this funding, the financial implications are substantial, particularly for smaller hospitals. NYS estimates that compliance will cost small hospitals with fewer than 10 beds between $50,000 and $200,000 annually; medium-sized hospitals with 10 to 100 beds between $200,000 and $500,000; and large hospitals with more than 100 beds approximately $2 million. These costs highlight the significant challenge faced by smaller, resource-constrained entities in implementing the necessary cybersecurity defenses.
Clearwater CEO Steve Cagle emphasized the need for financial support: “Cybersecurity is patient safety, and as such, it’s critical that all hospitals are meeting basic cybersecurity standards based on industry best practices. New York is taking steps to ensure patient safety, including protection of patient information, at hospitals is consistently met. However, time will tell if these new regulations make a significant impact, especially considering that cybersecurity is a shared responsibility among all stakeholders in the broader healthcare ecosystem, there are many organizations, such as larger specialty providers, digital health technology companies, and other service providers that are highly targeted by threat actors, yet not covered under these regulations. The funding for these hospitals needs to be released as soon as possible, as cyberattacks are increasing in frequency and in impact. Complying with new regulations—whether at the state or federal level—must be accompanied by continuing government funding support, as cybersecurity is not a ‘one and done’ but rather requires ongoing attention and continued investments. Government support is essential to help close the gap for resource-constrained entities, which arguably includes a vast majority of the healthcare sector.”
Key New Requirements and Why it Matters
The new regulations introduce several cybersecurity standards that hospitals must implement. Below is a detailed look at these requirements, drawn directly from Section 405.46 of New York’s Public Health Law.
1. 72-Hour Cybersecurity Incident Reporting
One of the most significant changes is the requirement that hospitals report “material” cybersecurity incidents to the New York State Department of Health (NYSDOH) within 72 hours of determining that an incident has occurred. A reportable incident includes events that:
-
Have a material adverse impact on hospital operations, or
-
Are likely to materially harm normal hospital operations, or
-
Involve the deployment of ransomware within hospital information systems.
Why It Matters: This is a more stringent requirement compared to HIPAA’s 60-day reporting window, ensuring hospitals respond to and report incidents faster. By introducing a tighter deadline, New York aims to minimize the potential damage from cyberattacks that could otherwise paralyze hospital operations or expose sensitive patient data. Also note, incident reporting and documentation requirement are effective as of 10/2/2024
2. Broader Protection for Nonpublic Information (NPI)
While HIPAA primarily protects protected health information (PHI), New York’s regulations expand the focus to include Nonpublic Information (NPI). This includes electronic information that is:
-
Confidential business-related information; Personally identifiable information that could identify an individual, even if it is not healthcare-related; and Protected Health Information (PHI), as defined by the HIPAA regulations.
Why It Matters: The inclusion of NPI broadens the scope of data protection. New York recognizes that hospitals store much more than PHI, and any breach of NPI can lead to serious consequences, including identity theft and financial fraud.
3. Appointment of a Chief Information Security Officer (CISO)
Hospitals are required to appoint a Chief Information Security Officer (CISO) to oversee cybersecurity efforts. The CISO may be an internal staff member or an external third-party contractor, but they must have appropriate training and expertise. The CISO is responsible for:
-
Developing and enforcing the hospital’s cybersecurity policies, conducting risk assessments, and providing annual reports to the hospital’s governing body on cybersecurity risks and program effectiveness.
Why It Matters: Formalizing the CISO role ensures that hospitals have dedicated leadership to manage their cybersecurity programs. This is critical for maintaining a proactive stance against cyber threats and ensuring that hospitals have a centralized figure overseeing risk management.
4. Cybersecurity Program and Risk Assessment
Each hospital must implement a comprehensive cybersecurity program that includes:
-
Identification and assessment of internal and external cybersecurity risks,
-
Protective policies and defensive infrastructure,
-
Detection of cybersecurity events, and
-
Response and recovery plans to mitigate the effects of an attack.
-
Additionally, hospitals are required to conduct annual risk assessments of their information systems, which must be used to inform the development of the cybersecurity program. These risk assessments should address changes in hospital information systems, nonpublic information, and business operations, and incorporate controls for evolving threats.
Why It Matters: Continuous risk assessment and monitoring ensure that hospitals remain aware of their vulnerabilities and can take action to mitigate them. By mandating this annual process, New York is pushing hospitals to stay one step ahead of attackers.
5. Testing, Vulnerability Assessments, and Penetration Testing
Hospitals must conduct regular penetration testing and vulnerability assessments to evaluate their cybersecurity program’s effectiveness and remediate vulnerabilities. At a minimum, hospitals must:
-
Perform annual penetration testing by a qualified internal or external party, and
-
Conduct automated scans or manual reviews of information systems to identify cybersecurity vulnerabilities.
Why It Matters: Penetration testing is a proactive approach that helps hospitals identify weaknesses before attackers can exploit them. By mandating regular testing, New York is ensuring that hospitals are continually improving their cybersecurity defenses.
6. Audit Trails and Six-Year Record Retention
Hospitals must maintain audit trails to detect and respond to cybersecurity incidents. These records, along with other documentation related to system design and security, must be retained for at least six years.
Why It Matters: Audit trails are crucial for tracing unauthorized access and responding to cyber incidents. Requiring hospitals to retain these records for six years provides a long-term view of security management and compliance.
7. Incident Response Plan
Each hospital must implement a written incident response plan that addresses how the hospital will respond to and recover from cybersecurity incidents. The plan must include:
-
Roles and responsibilities,
-
Internal and external communication plans,
-
Documentation of response activities, and
-
Steps to remediate weaknesses in information systems.
Why It Matters: Having a clear and actionable incident response plan ensures hospitals can quickly respond to and recover from cyberattacks. This minimizes downtime and helps maintain patient safety and care during an incident.
8. Security for Third-Party Providers
Hospitals must implement policies and procedures to ensure that third-party service providers maintain appropriate cybersecurity practices. This includes:
-
Identifying third-party vendors that access hospital information systems, and
-
Requiring these vendors to comply with minimum cybersecurity standards.
Why It Matters: Many cyberattacks originate from vulnerabilities in third-party systems. By holding vendors accountable for their security practices, hospitals can reduce their overall risk exposure.
9. Multifactor Authentication (MFA)
Hospitals must implement multifactor authentication (MFA) for accessing internal networks from external locations. If MFA is not feasible, compensating controls must be put in place with approval from the hospital’s CISO.
Why It Matters: MFA adds an essential layer of security by requiring users to provide two or more authentication factors before accessing sensitive systems. This is one of the most effective ways to prevent unauthorized access to hospital networks.
10. Access Management
Hospitals must periodically, at least annually, review all user access privileges. During these reviews, hospitals are required to remove or disable accounts and access that are no longer necessary.
Why It Matters:
Regular user access reviews help hospitals ensure that only authorized personnel have access to critical systems and sensitive data. By removing outdated or unnecessary accounts, hospitals reduce the risk of unauthorized access, data breaches, and potential insider threats. This practice also supports compliance with regulatory standards like HIPAA, reinforcing strong data protection and security protocols within healthcare organizations.
11. Monitoring Requirements
Hospitals must implement continuous monitoring and annual penetration testing to assess the effectiveness of their cybersecurity program. Monitoring should include logging, detecting, and responding to unauthorized access and security incidents, with a focus on timely remediation based on the severity of identified risks.
Why It Matters:
Continuous monitoring is crucial for identifying vulnerabilities and mitigating threats in real-time. By regularly testing and monitoring systems, hospitals can better safeguard sensitive patient data, prevent security breaches, and maintain compliance with healthcare cybersecurity regulations.
12. Cybersecurity Training and Awareness
Hospitals must provide regular cybersecurity training for all personnel, with updates to reflect new risks identified in the annual risk assessment. This training may include phishing simulations and remediation for employees who fall victim to simulated attacks.
Why It Matters: Employees are often the weakest link in cybersecurity defenses. Regular training ensures that staff are equipped to not only understand policies and procedures but recognize and respond to common threats like phishing, reducing the likelihood of a successful attack.
Securing the Broader Ecosystem
The new regulations set a high bar for hospital cybersecurity and represent a substantial improvement over previous standards. However, while hospitals are a critical component of healthcare, they are not the only entities at risk. Cagle notes, “hospitals tend to be more regulated and, therefore, often have a more advanced security posture than other healthcare industry participants, such as physician practices, ambulatory surgical centers, nursing homes, or technology providers and other business associates, which are not currently covered by these regulations.” This raises the question of whether the new hospital requirements will lead to the comprehensive improvement regulators hope for in healthcare cybersecurity.
A Model for Other States?
Just as New York led the way in financial services cybersecurity regulation, it’s likely that other states will look to these hospital cybersecurity regulations as a model. As more states recognize the importance of strong cybersecurity frameworks, we can expect similar rules to be enacted nationwide.
Conclusion
New York’s updated cybersecurity regulations mark a significant step forward in safeguarding patient data and ensuring operational resilience across hospitals. With stricter cybersecurity standards that go beyond HIPAA requirements, these new rules push hospitals to be more proactive and comprehensive in their cybersecurity efforts. The inclusion of broader protections for NPI, mandatory incident reporting, and the appointment of dedicated cybersecurity leadership all highlight New York’s commitment to raising the bar.
However, the challenge remains significant, particularly for smaller hospitals facing steep compliance costs. While
New York’s $500 million in funding offers support, hospitals must act now to start implementing these changes, ensuring they meet the October 2025 deadline. Importantly, other healthcare entities outside the scope of these regulations—such as physician practices and ambulatory surgical centers— and business associates – like digital health companies – must also recognize the need to strengthen their cybersecurity practices to safeguard the entire ecosystem.
The time to act is now. Hospitals should prioritize conducting thorough risk assessments, appointing a Chief Information Security Officer (CISO), and building robust incident response plans. Proactive steps today will help ensure compliance tomorrow and protect patients from the growing threat of cyberattacks.
For hospitals across the nation, New York’s regulations serve as a blueprint for what could soon be the standard in healthcare cybersecurity. It’s imperative that healthcare organizations everywhere begin aligning their cybersecurity practices with these new regulations to prepare for future legislation.
Stronger cybersecurity measures are not just a regulatory requirement—they are essential for the safety, privacy, and trust of patients. Now is the time for hospitals to rise to the challenge and lead the way in building a more secure healthcare future.
