In May 2024, the New York State Department of Health (NYSDOH) updated its proposed regulations for hospital cybersecurity, initially introduced in November 2023. These regulations aim to enhance the protection of hospitals’ protected health information and ensure a minimum standard of cybersecurity measures. The updates come in response to several high-profile cybersecurity breaches impacting hospitals and are designed to address feedback received during the public comment period.
The revised regulations focus on maintaining hospital operations and address industry concerns by relaxing some requirements. Notably, the timeframe for reporting cybersecurity incidents involving ransomware was extended from two hours to 72 hours following an incident. This adjustment was made in response to feedback suggesting that the original timeframe was too stringent.
Additional requirements in the updated regulations include the designation of a Chief Information Security Officer (CISO) responsible for overseeing the cybersecurity program. Hospitals must implement comprehensive written policies and procedures covering various cybersecurity areas, including network security, incident response, and employee training. The regulations also extend protections to include nonpublic information beyond HIPAA’s scope and require specific controls to address email-based threats.
Hospitals will need to perform annual risk assessments, penetration testing, and vulnerability assessments in line with their risk profiles. The regulations mandate the use of multifactor authentication for accessing internal networks and maintaining detailed records for at least six years. Once adopted, hospitals will have one year to comply with the new requirements, with the incident reporting obligation taking effect immediately.