New York Cybersecurity Regulations & the Future of HIPAA

What Healthcare Leaders Need to Prepare for Now

A Regulatory Deep Dive with Clearwater and Kirkland & Ellis

Healthcare cybersecurity regulation is entering a more prescriptive, accountability-driven era even as federal enforcement appears to slow.

In this session of the Healthcare Cyber & Compliance Exchange, healthcare privacy, compliance, and legal leaders unpacked what New York’s new cybersecurity requirements signal for hospitals nationwide, how the anticipated HIPAA Security Rule updates may diverge from early proposals, and why boards and executives are now firmly in scope.

Featuring Andrew Mahler, Vice President of Privacy & Compliance Services at Clearwater Security, and Rob Kantrowitz, Partner at Kirkland & Ellis, this discussion provided clarity amid regulatory noise, and practical guidance for leaders navigating uncertainty.

Watch more from this event:

Building a Strong Healthcare Cybersecurity Program | Practical Guidance

2026 Healthcare Cyber Threat Landscape | Risk, Regulation & Resilience

Why New York Acted First

Rob opened by framing New York’s hospital cybersecurity regulations not as a surprise, but as an expected evolution.

“New York decided to codify what had previously lived in guidance and gray areas.”

Rather than focusing solely on the protection of patient data, New York’s approach emphasizes operational resilience thereby recognizing that cyber incidents disrupt care delivery even when no data is exfiltrated.

Under the New York rule, a cybersecurity incident includes:

Material disruption to hospital operations

Reasonable likelihood of operational harm

Deployment of ransomware in a material system

This marks a significant departure from HIPAA’s narrower breach definition, which centers on unauthorized disclosure of PHI.

“This is about protecting the infrastructure that enables patient care.”

Prescriptive Requirements and Real Cost

While many concepts in the regulation mirror existing best practices, New York’s approach removes flexibility.

Annual risk assessments are mandatory.

A designated, qualified CISO is required.

Written reports must go directly to the governing body.

Rob was candid about the financial impact.

“This is no cheap endeavor.”

Initial implementation costs were estimated to range from $250,000 to $10 million, with ongoing annual costs as high as $2 million, depending on organizational size.

For smaller and rural hospitals, this lift is significant but in most cases, unavoidable.

Governance With Teeth: Boards Are Now Explicitly Accountable

One of the most consequential aspects of the New York regulation is governance.

Unlike HIPAA, which leaves leadership involvement largely implied, New York explicitly requires boards and executives to:

Review cybersecurity program effectiveness

Understand material cyber risk

Approve incident response plans

“There’s very little room for plausible deniability.”

Rob noted that while the regulation does not create a private right of action, plaintiff’s counsel may still use noncompliance as evidence of negligence, raising both regulatory and litigation exposure.

Andrew reinforced that this shift fundamentally changes how cybersecurity must be discussed internally.

“Cybersecurity can no longer live as a side issue. It has to be understood and owned at the board level.”

Evidence Over Intent: What Regulators Are Looking For

A recurring theme throughout the discussion was the regulatory shift toward evidence over intent.

Good faith efforts are no longer enough.

“Tried my best is not always a great excuse.”

Regulators are increasingly focused on whether organizations can demonstrate:

Documented decision-making

Consistent governance processes

Evidence of compliance with prescriptive requirements

Andrew emphasized that documentation extends beyond policies.

“Committee notes, meeting notes, and records of how decisions were made all matter.”

HIPAA Security Rule Updates: What’s Likely — and What’s Not

While New York moves aggressively, federal action appears slower and less certain.

Rob shared insight into the anticipated HIPAA Security Rule updates, noting that earlier proposals were highly prescriptive — mandating encryption, MFA, and segmentation — but may be significantly softened due to industry lobbying and shifting federal priorities.

“The word on the street is that some of the more rigid security requirements may be toned down.”

Instead, updates may focus more heavily on interoperability and access — leaving states like New York to set the de facto security baseline.

Why New York Matters Beyond New York

Even for organizations without a physical presence in the state, New York’s regulations may shape expectations elsewhere.

“What starts as a state requirement often becomes the standard of care.”

Both speakers emphasized that regulators and plaintiff attorneys alike look to strict state laws when defining reasonable security practices — regardless of jurisdiction.

“This is how expectations migrate.”

Navigating the Patchwork Without Burning Out

For multi-state systems facing regulatory fatigue, the guidance was pragmatic:

Build toward the most stringent applicable standard

Align programs to recognized frameworks like NIST

Address state-specific nuances at the margins

Avoid chasing every rule independently

“Compliance is a journey — but it has to be sustainable.”

Automation, centralized governance, and shared controls were cited as critical to long-term resilience.

Turning Mandates Into Sustainable Programs

Despite the burden, the session closed on a note of cautious optimism.

Rob highlighted new federal funding opportunities — including rural health transformation programs — that may help offset cybersecurity investments.

Andrew underscored a broader shift.