On October 2, 2024, the New York State Department of Health ("NYSDOH") adopted hospital cybersecurity regulations (the "Regulations") that it first released in November 2023.1 We previously summarized the initially introduced and subsequently revised proposed regulations in November 2023 and June 2024 client alerts.2
Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after determining that a cybersecurity incident has occurred. A cybersecurity incident is an event that (i) has a material adverse impact on the normal operations of the hospital; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital's information systems. Hospitals must retain documentation related to such incidents for at least six years and provide it to NYSDOH upon request.
Other requirements of the regulations have been implemented largely as proposed and will come into effect on October 2, 2025.3 Notable requirements of the Regulations are summarized below:
- Requirements Applicable to Nonpublic Information: The Regulations impose cybersecurity requirements with respect to "Nonpublic Information," which includes a hospital's confidential business-related information and information that can be used to identify a natural person. This is broader than the federal Health Insurance Portability and Accountability Act's ("HIPAA") applicability to "protected health information" that can be used to identify a patient.
- Cybersecurity Program: The Regulations require
hospitals to establish a cybersecurity program that features
specified capabilities, including identification and assessment of
cybersecurity risks, defensive infrastructure, and response to
identified or detected cybersecurity events to mitigate any
negative effects.
- The Regulations introduce a new requirement for hospitals to implement security controls to mitigate risks arising from electronic mail-based threats (such as spoofing, phishing, and fraud), and to review and update such controls on a regular basis to ensure their effectiveness against evolving threats. In addition, the hospital's cybersecurity policy must be adopted in accordance with the hospital's risk assessment and applicable state and federal law.
- CISO: Hospitals are required to appoint a qualified senior or executive-level staff member with proper training, experience, and expertise to serve as Chief Information Security Officer ("CISO"). The CISO must recommend the hospital's cybersecurity policy for approval by the hospital's governing body and provide an annual written report to the governing body on the hospital's cybersecurity program and material cybersecurity risks.
- Cybersecurity Personnel: Hospitals are required to use qualified cybersecurity personnel or a third-party service provider to manage the cybersecurity program. If using a third-party service provider, the hospital is required to implement written policies and procedures designed to ensure the security of information systems and Nonpublic Information accessed by such third party. The Regulations also specify requirements for third-party service provider contracts. Hospitals that engage third-party service providers to assist with their cybersecurity programs may need to review the terms of such engagements to ensure compliance with these new requirements.
- Information System User Authentication: Hospitals must
use multi-factor authentication, risk-based authentication, or
other compensating controls for user authentication to protect
against unauthorized access to Nonpublic Information or information
systems. Multi-factor authentication is required for accessing the
hospital's internal network from an external network, unless
the CISO approves otherwise in writing.
- The Regulations introduce additional requirements regarding user access privileges and privileged accounts that can be used to perform security-relevant functions that ordinary users are not authorized to perform (such as the ability to add, change or remove other accounts, or make configuration changes to information systems). Specifically, hospitals must limit user access privileges to information systems that provide access to Nonpublic Information to only those necessary to perform the user's job. In addition, hospitals must have separate privileged accounts that are limited in number and access functions to only the quantity and capabilities necessary to perform required privileged functions. Hospitals also must review all user access privileges and remove or disable accounts and access that are no longer necessary at least annually, promptly terminate access following departures, and disable or securely configure all protocols that permit remote control of devices.
- Testing, Vulnerability Assessments, and Risk Assessments: Hospitals are required to undertake an annual risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Nonpublic Information and information systems. Hospitals also need to develop monitoring and testing, in accordance with the risk assessment, that is designed to assess the effectiveness of the hospital's cybersecurity program and assess changes in information systems that may create or indicate vulnerabilities. Such monitoring and testing must include penetration testing of the hospital's information systems by a qualified internal or external party at least annually and automated scans or manual or automated reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the hospital's information systems based on the risk assessment. These requirements are more prescriptive than HIPAA's requirement for "periodic" risk analyses, and hospitals may need to revise their HIPAA risk analysis plans to ensure compliance with these new requirements.
- Audit Trails and Records Maintenance: Hospitals are required to maintain records pertaining to systems design, security, and maintenance and to audit trails that can detect and combat significant cybersecurity threats for at least six years. This mirrors HIPAA record retention obligations, which require records pertaining to HIPAA policies to be kept for six years after their creation or policy implementation.
- Incident Response Plans: Hospitals are required to adopt a written incident response plan designed to promptly respond to and recover from material security incidents in accordance with requirements specified in the regulations.
Footnotes
1. New York State Register, Oct. 2, 2024, Vol. XLVI, https://dos.ny.gov/system/files/documents/2024/10/100224.pdf.
2. Christine Moundas & Gideon Zvi Palte, New York State Proposes New Cybersecurity Program and Incident Reporting Requirements for Hospitals, Ropes & Gray LLP (Nov. 28, 2023), https://www.ropesgray.com/en/insights/alerts/2023/11/new-york-state-proposes-new-cybersecurity-program-and-incident-reporting-requirements-for-hospitals; Christine Moundas, Gideon Zvi Palte, William Shefelman & Peyton Brooks, New York State Revises Proposed Cybersecurity Program and Incident Reporting Requirements for Hospitals, Ropes & Gray LLP (June 4, 2023), https://www.ropesgray.com/en/insights/alerts/2024/06/new-york-state-revises-proposed-cybersecurity-program-and-incident-reporting-requirements.
3. Minor changes in the final Regulations include the following: (1) the Regulations clarify that multi-factor authentication means at least two distinct authentication factors; (2) the definition of personally identifiable information now includes protected health information as defined under 45 CFR 160.103; and (3) to "ensure continuity of business and operations at general hospitals within the State" was removed throughout as a legislative objective.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
