Hospitals and healthcare providers, take note: New York State recently introduced comprehensive cybersecurity regulations for healthcare organizations, expanding beyond traditional HIPAA requirements to include broader protections for business operations and patient data.
Though the reporting obligations went into effect on October 2, 2024, organizations were given nine months to follow these obligations. This means that all general hospitals in the state of New York have until the summer of 2025 to educate themselves and ensure that they are in compliance.
These new cyber security requirements are the latest example of healthcare regulators becoming more prescriptive about what actions healthcare organizations need to take. So, while this set of requirements apply only to New York hospitals, providers nationwide are well-advised to pay attention to the changes, as they may soon find themselves faced with similar guidelines.
What’s Changed: Enhanced Security Framework and Reporting Requirements
The new regulation is intended to supplement, not supersede, any of the current federal health insurance portability accountability requirements — the requirements are meant to fill in any gaps where HIPAA’s current cybersecurity perspective appears a bit vague. While HIPAA zeroes in on Protected Health Information (PHI), the New York rules widen the net to include Personally Identifiable Information (PII) and the overall operations of hospitals. It’s not just about patient data anymore—it’s about keeping the whole ship running smoothly.
The new regulations mandate specific requirements for healthcare organizations, including annual risk assessments, appointment of qualified CISOs, and comprehensive incident reporting within 72 hours. These requirements go beyond protecting patient health information to safeguard hospital business operations and making sure that entities understand that operational downtime for a hospital in New York is just as bad as losing personal information.
The first standard specifically requires a risk assessment that includes non-public information and business operations to be conducted annually and upon any changes in infrastructure. This standard offers a more prescriptive practice, as the frequency of completing risk assessments has previously been unclear. An important new requirement states that an encryption assessment must be done annually to determine which types are needed, or if they’re needed at all.
Under the new regulation, we will also see cyber security reporting greatly enhanced. The changes require general hospitals to notify the Department of Health as promptly as possible, but no later than 72 hours after determining a cyber security incident has occurred. In this situation, a cybersecurity incident is not a breach, as defined by most laws, nor is it necessarily associated with personal information – it’s an incident that has a material, adverse impact on normal hospital operations or a likelihood of materially harming operations. This distinction further highlights a focus on operations, rather than just on results of the ransomware deployment within a hospital’s information systems. Having a clear incident response plan conducted by an established IR team will ensure these requirements are met and information is protected.
A risk assessment for third-party vendors will also need to be conducted at least annually. These will include contractual requirements, as well as vendor compliance and performance in addressing security concerns.
Operational Impact: Be Prepared to Follow Very Prescriptive Requirements
Organizations must implement robust vendor management processes, conduct regular penetration testing, and maintain automated scanning systems. The regulations emphasize the importance of staff training, particularly in identifying sophisticated phishing attempts enhanced by AI technology.
Formerly, organizations were required by HIPAA to have an audit plan and stick to it. But with a more prescriptive outline, organizations will need to pay careful attention to the requirements and have a well-prepared and actionable response plan in place that meets New York’s very specific requirements.
Incorporating this new regulation into organizations’ regular management and operational processes will take time and forethought. This affects many parts of a hospital or healthcare entity, linking IT and operational procedures and highlighting the need for a unified approach to cybersecurity. Pay careful attention to these key requirements:
- Mandatory appointment of qualified CISO with clear authority and independence
- 72-hour incident reporting requirement for cybersecurity events
- Enhanced focus on business operations protection beyond traditional PHI
- Regular staff training and phishing simulation requirements
- Comprehensive vendor management processes implementation
Not in New York State? Look to This Regulation to Serve as a Model for Your Own Jurisdiction
New York’s rules offer a detailed plan that works alongside federal standards, focusing on both data protection and ensuring hospital operations are operationally secure.
While these regulations currently apply to New York healthcare organizations, they represent a broader trend in healthcare cybersecurity requirements. Organizations nationwide should prepare for similar comprehensive regulations, focusing on both technical implementation and organizational readiness.
Mandeep Gosal
Mandeep Gosal is VP, Global Professional Services at Beazley Security. Gosal serves as a liaison for Beazley Insurance, providing technical guidance and insights to underwriting and claims personnel, as well as acts as a key interface to Beazley brokers to help insurance clients proactively address cyber risks.
