Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

July 18, 2024

NYS Department of Health Publishes Amended Proposed Cybersecurity Regulations for Hospitals

On May 15, 2024, the New York State Department of Health published amended proposed hospital cybersecurity regulations. If adopted, the amended proposed regulations, which were initially published on December 6, 2023, will create a new Section 405.6 of Title 10 (Health) of the New York State Codes, Rules, and Regulations and impose cybersecurity-related requirements on all New York State hospitals.

The amended proposed regulations, if adopted, will require all hospitals licensed under Article 28 of the New York State Public Health Law to adopt a cybersecurity program. The cybersecurity program, which will need to be based on each hospital’s individualized risk assessment, will be required to perform the following core functions:

  1. Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the hospital’s information systems and the continuity of the hospital’s business and operations;
  2. Use defensive infrastructure and the implementation of policies and procedures to protect the hospital’s information systems, the continuity of the hospital’s business and operations, and the nonpublic information stored in those information systems from unauthorized access, use, or other malicious acts;
  3. Detect cybersecurity events; 
  4. Respond to identified or detected cybersecurity events to mitigate any negative effects; 
  5. Recover from cybersecurity events and incidents and restore normal operations and services; and 
  6. Fulfill reporting obligations set out in applicable laws and regulations.

In addition to adopting and implementing a cybersecurity program that meets the requirements set out above, the amended proposed regulations would also require hospitals to adopt specific cybersecurity policies and procedures, designate a chief information security officer, perform vulnerability testing and risk assessments, provide training on the cybersecurity program, develop an incident response plan, and report cybersecurity incidents to the New York State Department of Health no later than 72 hours after determining an incident has occurred. If adopted, hospitals will have one year from the date of adoption to comply with the proposed requirements. Importantly, however, the regulatory provisions that will require cybersecurity incidents to be reported to the New York State Department of Health would not be subject to the one-year implementation timeline; instead, they would become effective immediately upon adoption.

It is important to note that the scope of the proposed regulations extend beyond the protection of “protected health information” required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to cover “nonpublic information,” which encompasses information used to identify a natural person and certain confidential business-related information. The proposed regulations are intended to supplement HIPAA. Therefore, if enacted, hospitals will need to ensure compliance with the requirements under the proposed regulations, which may be more stringent than their current obligations under HIPAA, including those related to risk assessment measures.

The full text of the amended proposed hospital cybersecurity regulations are available on the Department of Health’s website. Attorneys in Barclay Damon’s Data Security & Technology Practice Area are available to assist hospitals with preparing, reviewing, and revising their cybersecurity programs, including policies and procedures, and will continue to monitor any developments and best practices.

If you have any questions regarding the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com; Bridget Steele, counsel, at bsteele@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area or Health & Human Services Providers Team.
 

Featured Media

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Zayzay Howard, Carlos Gonzalez, Waleska Pena, Luis Compres, Carlos Moreno, Nersi Nin Vasquez, and Shivan Bassaw—Targeting Businesses in Recent Flurry of Lawsuits

Alerts

NYS Court of Appeals: No Municipal Immunity for a Town Employee Involved in an Accident but Not Engaged in Work

Alerts

Massachusetts Passes Climate Bill Accelerating Siting and Permitting for Clean Energy Projects

Alerts

Make It a Double: Amendment to New York State's ABC Law Extends Temporary Permits to Sell Alcoholic Beverages for Liquor License Applicants from 90 to 180 Days

Alerts

New York's New Pharmacy Regulations: Major Win for Independent Pharmacies and Consumers

Alerts

Second Circuit Upholds New York State's Ivory Law, but Holds Display Restriction Unconstitutional

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out