New York State Adopts New Cybersecurity Program and Incident Reporting Requirements for Hospitals

On October 2, 2024, the New York State Department of Health (“NYSDOH”) adopted hospital cybersecurity regulations (the “Regulations”) that it first released in November 2023.¹ We previously summarized the initially introduced and subsequently revised proposed regulations in November 2023 and June 2024 client alerts.²

Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after determining that a cybersecurity incident has occurred. A cybersecurity incident is an event that (i) has a material adverse impact on the normal operations of the hospital; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems. Hospitals must retain documentation related to such incidents for at least six years and provide it to NYSDOH upon request.

Other requirements of the regulations have been implemented largely as proposed and will come into effect on October 2, 2025.³ Notable requirements of the Regulations are summarized below:

• Requirements Applicable to Nonpublic Information: The Regulations impose cybersecurity requirements with respect to “Nonpublic Information,” which includes a hospital’s confidential business-related information and information that can be used to identify a natural person. This is broader than the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) applicability to “protected health information” that can be used to identify a patient.
• Cybersecurity Program: The Regulations require hospitals to establish a cybersecurity program that features specified capabilities, including identification and assessment of cybersecurity risks, defensive infrastructure, and response to identified or detected cybersecurity events to mitigate any negative effects.
  • The Regulations introduce a new requirement for hospitals to implement security controls to mitigate risks arising from electronic mail-based threats (such as spoofing, phishing, and fraud), and to review and update such controls on a regular basis to ensure their effectiveness against evolving threats. In addition, the hospital’s cybersecurity policy must be adopted in accordance with the hospital’s risk assessment and applicable state and federal law.
• CISO: Hospitals are required to appoint a qualified senior or executive-level staff member with proper training, experience, and expertise to serve as Chief Information Security Officer (“CISO”). The CISO must recommend the hospital’s cybersecurity policy for approval by the hospital’s governing body and provide an annual written report to the governing body on the hospital’s cybersecurity program and material cybersecurity risks.
• Cybersecurity Personnel: Hospitals are required to use qualified cybersecurity personnel or a third-party service provider to manage the cybersecurity program. If using a third-party service provider, the hospital is required to implement written policies and procedures designed to ensure the security of information systems and Nonpublic Information accessed by such third party. The Regulations also specify requirements for third-party service provider contracts. Hospitals that engage third-party service providers to assist with their cybersecurity programs may need to review the terms of such engagements to ensure compliance with these new requirements.
• Information System User Authentication: Hospitals must use multi-factor authentication, risk-based authentication, or other compensating controls for user authentication to protect against unauthorized access to Nonpublic Information or information systems. Multi-factor authentication is required for accessing the hospital’s internal network from an external network, unless the CISO approves otherwise in writing.
  • The Regulations introduce additional requirements regarding user access privileges and privileged accounts that can be used to perform security-relevant functions that ordinary users are not authorized to perform (such as the ability to add, change or remove other accounts, or make configuration changes to information systems). Specifically, hospitals must limit user access privileges to information systems that provide access to Nonpublic Information to only those necessary to perform the user’s job. In addition, hospitals must have separate privileged accounts that are limited in number and access functions to only the quantity and capabilities necessary to perform required privileged functions. Hospitals also must review all user access privileges and remove or disable accounts and access that are no longer necessary at least annually, promptly terminate access following departures, and disable or securely configure all protocols that permit remote control of devices.
• Testing, Vulnerability Assessments, and Risk Assessments: Hospitals are required to undertake an annual risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Nonpublic Information and information systems. Hospitals also need to develop monitoring and testing, in accordance with the risk assessment, that is designed to assess the effectiveness of the hospital’s cybersecurity program and assess changes in information systems that may create or indicate vulnerabilities. Such monitoring and testing must include penetration testing of the hospital’s information systems by a qualified internal or external party at least annually and automated scans or manual or automated reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the hospital’s information systems based on the risk assessment. These requirements are more prescriptive than HIPAA’s requirement for “periodic” risk analyses, and hospitals may need to revise their HIPAA risk analysis plans to ensure compliance with these new requirements.
• Audit Trails and Records Maintenance: Hospitals are required to maintain records pertaining to systems design, security, and maintenance and to audit trails that can detect and combat significant cybersecurity threats for at least six years. This mirrors HIPAA record retention obligations, which require records pertaining to HIPAA policies to be kept for six years after their creation or policy implementation.
• Incident Response Plans: Hospitals are required to adopt a written incident response plan designed to promptly respond to and recover from material security incidents in accordance with requirements specified in the regulations.

If you have any questions concerning this alert, please contact your usual Ropes & Gray advisor or one of the authors.

--

Christine Moundas is a partner in Ropes & Gray’s health care group and co-head of the firm’s digital health initiative. Moundas provides strategic, regulatory, compliance and transactional advice to health care technology companies, health systems, pharmaceutical companies and investors. She counsels clients on cutting-edge issues in the digital health space, including artificial intelligence, interoperability and big data initiatives. She can be reached at Christine.Moundas@ropesgray.com. Gideon Zvi Palte is an associate in the firm’s health care group. He advises health care providers, technology companies, insurance companies, health care organizations and investors on transactional and regulatory issues. He can be reached at Gideon.Palte@ropesgray.com. William Shefelman is an associate in the firm’s health care group and can be reached at William.Shefelman@ropesgray.com.