In response to Governor Hochul’s New York State Cybersecurity Strategy announced in August 2023, the New York Department of Health adopted regulations requiring general hospitals to report material cybersecurity incidents to the Department within 72 hours. The new regulations went into effect on October 2, 2024.
The regulations apply to general hospitals, defined under Public Health Law (PHL) §2801(10) as “a hospital engaged in providing medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a twenty-four hour basis with provisions for admission or treatment of persons in need of emergency care and with an organized medical staff and nursing service including facilities providing services relating to particular diseases, injuries, conditions, or deformities.” The definition does not include “residential health care facilit[ies], public health center[s], diagnostic center[s], treatment center[s], out-patient lodge[s], dispensar[ies] and laborator[ies,] or central service facilit[ies] serving more than one institution.”