chevron-down Created with Sketch Beta.

ARTICLE

New York State Adopts New Cybersecurity Regulations for General Hospitals

Kathryn Van Sistine

New York State Adopts New Cybersecurity Regulations for General Hospitals
Morsa Images via Getty Images

In response to Governor Hochul’s New York State Cybersecurity Strategy announced in August 2023, the New York Department of Health adopted regulations requiring general hospitals to report material cybersecurity incidents to the Department within 72 hours. The new regulations went into effect on October 2, 2024. 

The regulations apply to general hospitals, defined under Public Health Law (PHL) §2801(10) as “a hospital engaged in providing medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a twenty-four hour basis with provisions for admission or treatment of persons in need of emergency care and with an organized medical staff and nursing service including facilities providing services relating to particular diseases, injuries, conditions, or deformities.” The definition does not include “residential health care facilit[ies], public health center[s], diagnostic center[s], treatment center[s], out-patient lodge[s], dispensar[ies] and laborator[ies,] or central service facilit[ies] serving more than one institution.” 

A “material” cybersecurity incident is defined as an event that: (i) has a “material adverse impact” on the normal operations of the hospital, (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital, or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems. 

The regulations also established other requirements general hospitals must accomplish by October 2, 2025, including implementing a written cybersecurity program, designating a Chief Information Security Officer (CISO), performing risk assessments, and adopting multifactor authentication controls that align with industry standards. 

    Author