Key Takeaways
- Hospitals in New York state must consider the fiscal and operational cost of the New York State Department of Health cybersecurity regulations when setting 2025 budgets and major project plans.
- Effective immediately, general hospitals in New York state are required to report any cyber incident to the New York State Department of Health as soon as possible and no later than 72 hours after determining that an incident occurred.
- New York-based hospitals are also required to conduct risk assessments and implement a robust cybersecurity program based on their findings by October 2, 2025.
Introduction
On October 2, the New York State Department of Health (NYSDOH) issued new cybersecurity regulations (Regulations) for all general hospitals in New York state (“hospitals”), creating a new Section 405.46 in Title 10 (Health) of the New York Official Compilation of Codes, Rules and Regulations of the State of New York (10 NYCRR § 405.46). Now, in addition to breach notification requirements in other applicable laws like HIPAA, the hospitals must report cybersecurity incidents to NYSDOH within 72 hours of discovery. The Regulations also set forth a broad spectrum of information security controls and practices that must be implemented as part of the covered hospitals’ operative cybersecurity programs.
Compliance will require an all-hands-on-deck approach by hospital leadership teams. If your team’s holiday wish list includes a deep-dive into these new requirements, you’re in luck. Grab some cocoa and a highlighter, as we unwrap the key requirements and issues regarding the scope of the Regulations’ coverage, incident notification provisions, and cybersecurity program components.
It's like NYDFS, But for Healthcare…
If you’re experiencing déjà vu, you are not alone. Cybersecurity practitioners who are familiar with New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies, known as the NYDFS requirements, will see many similarities between these financial services sector rules and the NYDOH Regulations. When the NYDFS requirements were first promulgated in 2017, they were initially viewed as too prescriptive, too burdensome, and more aggressive than many existing cybersecurity regulatory regimes in the sector, including federal laws.
Come 2024 and seven years of catastrophic cyberattacks later, the NYDFS requirements begin to seem quite reasonable. Even the amended regulations, which became effective in November 2024, are focused on mitigating many of the pain points felt during a ransomware incident, and include business continuity planning, proactive measures and disaster recovery measures.
And we think this is just the beginning: New York regulators had a productive 2024, levying financial penalties in the millions against New York-based healthcare industry companies for cybersecurity related issues. Our insights from state regulators suggest that penalties will continue to increase, and we anticipate these new regulations will serve as a vehicle to further enforcement efforts in the healthcare space.
With the introduction of these highly specific regulations for hospitals, healthcare industry practitioners are experiencing reactions similar to those seen with the initial NYDFS regulations. While these new requirements align with today’s evolving information security standards and frameworks, they are significantly more prescriptive than the HIPAA Security Rule. They do, however, make a hospital’s “risk assessment” the key driver behind the selection and implementation of security controls. The emphasis on the risk assessment is fundamentally consistent with the HIPAA Security Rule’s use of the HIPAA Security Risk Analysis, which is the focus of OCR’s newly announced Risk Analysis Initiative.
Scope of Regulatory Coverage
The Regulations apply to any general hospital that is licensed in New York under Article 28 of the Public Health Law. This includes hospitals that are engaged in providing medical services primarily to inpatients on a 24-hour basis, treat emergencies, and have an organized medical staff and nursing service.
The following providers are excluded from coverage: residential healthcare facilities, public health centers, diagnostic centers, treatment centers, outpatient lodges, and dispensary and laboratory or central service facilities serving more than one institution. This last exclusion is interesting because one of the largest fines ever assessed by the New York Attorney General’s Office was a 2024 fine against an entity operating in the clinical lab space.
Expansion of Protected Information
Moreover, as with the NYDFS requirements expanding the scope of covered data beyond familiar categories like “personal financial information” or “PFI,” or “personally identifiable information” or “PII,” to “non-public information” (NPI), the scope of data covered by the Regulations goes beyond PII and familiar industry categories like HIPAA’s “protected health information” or “PHI.” As with the NYDFS requirements, this applies to the broader category of NPI. This could have important practical consequences for covered entities that have structured information governance and cybersecurity programs to target and isolate PHI or PII in an effort to narrow the scope of the data environment subject to certain requirements. Such entities will need to reassess whether they need to expand or modify security controls applied to systems that may contain NPI, but not PHI or PII.
Incident Reporting Requirement
Effective immediately, hospitals must report incidents to NYSDOH as soon as possible and no later than 72 hours after determining that an incident has occurred. According to the Regulations, a “cyber incident” includes an event that (1) “has a material adverse impact on the normal operations of the hospital,” (2) “has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital,” or (3) “results in the deployment of ransomware within a material part of the hospital’s information systems.” 10 NYCRR § 405.46(b)(5)(i)-(iii).
For hospitals with more than 500 beds and that will also be subject to the federal Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the tight timeframe may seem familiar. Those hospitals will need a robust and fast-paced decision tree to assess the myriad reporting obligations coming their way in 2025.
Cybersecurity Program Requirements
Hospitals have until October 2, 2025, to implement the Regulations’ requirements. During the time left until the deadline, hospitals will need to conduct a risk assessment that complies with the Regulations and implement the specified controls accordingly.
The NHDOH Regulations (like the NYDFS requirements) lay out certain general design principles and “core functions” of the required cybersecurity program, as well as some 15 general areas that must be covered in cybersecurity policies. Hospitals will of course need to examine these principles and policy scope requirements and make sure they can articulate how their program design and policy documentation meet them. For mature cybersecurity programs, these are not likely to be difficult compliance hurdles to overcome even if gaps exist. However, there are specific administrative, technical, and physical controls required by the Regulations that could require more in terms of resources for implementation.
These are highlighted and summarized below:
1. Access Reviews
In addition to the general requirement to follow the bedrock access control principle of “least privilege” (albeit applied to NPI, not merely PHI), the Regulations specifically require hospitals to “periodically review such access privileges.” To be able to demonstrate compliance with the access review requirement, hospitals will need to make sure they have formalized these kinds of reviews. This means that the reviews should proceed according to documented procedures that lay out who will conduct them, how, and how frequently, and what recordkeeping will be generated as output.
2. Secure Development
Software development is an aspect of information security that is much more familiar to tech companies and other types of businesses whose operations include some component of software development, although for most non-tech businesses this is through an outsourcing relationship with a development firm. Here (and again, like the NYDFS requirements), the requirements for secure development practices apply not only to applications that are developed internally, but extend to what is essentially a third-party risk management process of “evaluating, assessing, and testing” externally developed applications used by the hospitals. This means that hospitals need a formalized secure software development lifecycle (SSDLC) process, including minimum SSDLC requirements that apply to third-party developers. On top of the SSDLC process, the Regulations require formalizing an annual review and attestation procedure to be conducted by the hospital’s chief information security officer (CISO) or “qualified designee.”
3. Secure Disposal
While hospitals are familiar with the HIPAA Security Rule’s requirements regarding sanitization and destruction of PHI storage media and devices, the Regulations effectively require extending such practices to NPI. Establishing appropriate timing in terms of purging data by secure means involves a series of judgments that are familiar to those charged with more general data privacy law compliance but are challenging to implement in practice nonetheless, given the absence of bright lines. Periodic secure disposal must be applied to “any [NPI] identified that is no longer necessary for business operations or other legitimate purposes of the hospital, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which information is maintained.”
There is a high level of maturity needed in terms of information governance to effectively comply with these types of requirements in the context of an organization with information technology (IT) ecosystems as complex as those of a hospital. A full discussion of what this would entail is far beyond the scope of this article, but it begins with a fundamental practice that is nevertheless commonly overlooked despite the fact that it is manifestly essential for compliance: data mapping. In other words, if they haven’t done it already, hospitals need to determine and document what data (and remember, here it is not just PHI or even PII, but more broadly NPI) is in what systems. Common sense dictates that only after accurate and comprehensive data mapping is completed can a demonstrably effective secure disposal program – one that is integrated with records retention policies and schedules, litigation hold procedures, and other information governance program elements – be developed and implemented.
4. Encryption
There is nothing new or specific in the Regulations on encryption that represents a departure from the HIPAA Security Rule, except that now it needs to extend more broadly to NPI, at rest and in transit, as opposed to merely PHI. The hospital’s CISO is required to review and approve any “compensating controls” implemented based on a determination that encryption is infeasible. This is not a “check-the-box exercise. The Regulations specifically require documenting the justification for the determination of infeasibility, and the compensating control must be demonstrably “equivalent.” Moreover, the CISO must revisit this assessment, reviewing and documenting it at least annually. A compensating control is not just another or different control; it must somehow perform the same security function as the control deemed infeasible, and it is not clear what qualifies as an acceptable alternative when encryption is the control requiring substitution.
5. Email Security
The Regulations specifically call out controls around email-based threats, which makes sense because email account compromises remain one of the most common cybersecurity threat vectors. Hospitals should make sure that they are configuring email platforms securely in line with industry benchmarks or at least vendor standards. They should also acquire a level of licensing for their email platform that includes advanced threat protection features, or layer a specialty email security solution on top of their email platform “to ensure their effectiveness against evolving threats,” as the Regulations put it.
6. CISO
Hospitals must designate a member of “senior or executive level staff” with the qualifications in terms of “training, experience, and expertise” to serve as CISO. The CISO is also tagged with an annual, written reporting requirement to the hospital’s governing body, with a list of required elements to be included. While the Regulations explicitly allow for the outsourcing of this position, in practice, we’ve observed that organizations do not receive the same benefit they would by hiring a dedicated employee. Although beyond the scope of this article, organizations are often disappointed in outsourced CISO services for reasons having to do with internal organizational accountability, financial incentives for “fractional,” “part-time,” or “virtual” CISOs (“V-CISOs”) that involve serving multiple clients simultaneously, a lack mentorship and development for more junior team members, and an unwillingness to advise when the hospital is faced with a regulatory investigation. That being said, it is permitted under the Regulations, and we expect to see a proliferation of V-CISOs marketing their services to covered hospitals.
7. Monitoring and Testing
There are high-level security “monitoring and testing” requirements that essentially boil down to having a vulnerability management program that includes (a) at least annual penetration testing, (b) vulnerability scanning, and (c) “timely” risk-based remediation of identified vulnerabilities.
8. Audit Trails and Records
The NYDOH Regulations generally describe requirements to maintain certain records for a time period consistent with the HIPAA compliance retention period – six years. Depending on how one interprets what is sufficient under these general categories of records, that could be a major departure from current practice for many hospitals. For example, given the volume of log data produced by a hospital, it is common to have retention periods in place for logging data or other “security telemetry” that is measured in months, not years.
Under the new requirements, however, the records that must be retained for six years include those “pertaining to systems design, security, and maintenance supporting…normal operations” and “pertaining to audit trail systems” that are “designed to detect and respond to cybersecurity events…and incidents” as defined in the Regulations. Hospitals will need to assess their current log retention practices and adjust them where necessary for compliance with the six-year retention requirements, as well as ensure that they can articulate how the logs they have decided to retain for six years fit within the “audit trails and records” categories set forth in the regulations.
The six-year retention requirement is also addressed in the section titled “Department Reporting,” which contains the incident notification requirements. Somewhat unhelpfully, this documentation includes “… such information[] as the department determines to be necessary, including but not limited to any and all documentation, such as records, schedules, reports, and data required and supporting the required documentation by this section.” Also daunting is the fact that the section goes on to require that where “a hospital has identified areas, systems or processes that require material improvement, updating or redesign,” the hospital document and retain “the identification and the remedial efforts planned, and underway, to address such areas, systems or processes.” Hospitals that do not have mature change management processes are going to have a hard time complying with this provision and will need to start mapping out a process that captures all of the required information in a manner that can be demonstrated in the event of an audit.
9. Risk Assessment
As with the HIPAA Security Rule, the risk assessment is considered a foundation justifying the security program’s overall design and implementation. Helpfully, the Regulations explicitly authorize the use of risk assessments “performed for other regulatory purposes, such as HIPAA,” for compliance with this requirement. Note, however, that the Regulations require at least annual performance of the risk assessment.
10. Cybersurity Personnel
In terms of the human resources that “manage … perform or oversee” the cybersecurity program, the Regulations require that they be “qualified,” but permit them to be internal personnel, those of an affiliate, or even a third-party service provider. Hospitals should be thinking about how they allocate these responsibilities in terms of being able to explicitly articulate corresponding qualifications. Sufficiently demonstrating compliance with the Regulations may require providing specialized training for personnel in security roles, adjusting job descriptions and prerequisites for security hires, or requiring evidence of certifications or other qualifications from third-party service providers.
11. TPRM
Managing third-party risk management is another key component of an overall cybersecurity program, full discussion of which is well beyond the scope of this article. But at least this domain will be familiar to healthcare cybersecurity practitioners accustomed to dealing with HIPAA business associates and the due diligence/vetting and contractual requirements required under the HIPAA Security Rule.
12. Identity and Access Management
a. Multi-Factor Authentication (MFA)
Consistent with prevailing current industry standards, MFA is required for remote access to hospital networks (“unless the hospital’s CISO has approved in writing the use of compensating controls”). Organizations that want to keep up with the evolving threat landscape will pay careful attention to how MFA is implemented, as attacks are increasingly taking advantage of MFA mechanisms considered “phishable” and otherwise relatively weak.
b. Privileged Access
In addition to limiting privileged access to the minimum necessary (“least privilege” principle), hospitals are required to do what has been considered a security best practice for many years in provisioning separate privileged accounts for users who need privileged access (e.g., for IT administrative purposes) and non-privileged (i.e., regular user) accounts for those who don’t. Moreover, privileged accounts must be used only for purposes that require elevated access rights, while regular accounts should be used for routine activities such as email or Web browsing.
c. Remote Access to Devices
Many security compromises involve leveraging protocols for directly connecting to and controlling networked devices, such as remote desktop protocol or “RDP” as these are often insecurely configured. The Regulations require making a choice – either securely configure such protocols if their use is indeed necessary or important operationally, or simply disable them if they are not (which is much simpler and more secure).
d. De-Provisioning
Hospitals should have formalized processes that cover the access management lifecycle, including not just how access is originally determined, approved, and provisioned, but also and especially how it is revoked when a user leaves the organization for whatever reason. It is easy to miss certain access rights, for example with accounts for “software-as-a-service” websites where these are not centrally managed by IT. An effective process lays out who is responsible for doing what and how when it comes to revoking access that is no longer appropriate, in a way that is comprehensive and considers applications that are not under central controls. The Regulations simply require that the termination of access happen “promptly following departures,” but hospitals should be considering what needs to be developed in terms of process and procedure to enable compliance with this requirement.
13. Training and User Monitoring
Just like the NYDFS regulations, the NYDOH Regulations oddly pair these two very different security program domains. With respect to monitoring, they track with the HIPAA Security Rule in terms of requiring that user activity be monitored with the aim of detecting unauthorized access or improper access to data (although here again that would include NPI, not just PHI). Regular cybersecurity awareness training must be provided that can be shown to “reflect risks identified by the hospital in its risk assessment, which may include” at least annual phishing exercises with corresponding remedial training based on results.
14. Incident Response Plans (IRP)
The IRP is a universal cybersecurity program must-have that will be familiar to hospitals already. However, hospitals will need to assess their IRPs to track the language in the Regulations that outline minimum required elements of IRP content and make sure they can point to the parts of their IRP that satisfy these elements.
Ringing in 2025
Under the Regulations, hospitals will need to adhere to new reporting requirements that are effective immediately and review and adjust their current cybersecurity programs in depth prior to October 2, 2025. For those larger hospitals with mature HIPAA cybersecurity compliance programs, this may not be an overly burdensome process. However, most hospitals do not fall into this category. They will need to conduct security and compliance risk assessments as soon as possible to allow ample time to assess gaps and determine implementation plans for compliance with these new regulations. With the clock having started to tick toward a compliance deadline that is less than a year away, there is no time to waste.
[View source.]
