Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Alerts
    4. New York adopts cybersecurity regulations for general hospitals

      Alerts

    Alert / Healthcare

    New York adopts cybersecurity regulations for general hospitals

    Oct 11, 2024

    LinkedInX (Twitter)EmailCopy URL

    By Mukta Chilakamarri, Laurie Cohen and Justin Pfeiffer

    The new regulations lay out requirements for risk assessments and a 72-hour reporting window.

    What’s the impact?

    • Effective immediately, general hospitals in New York must report to the NYSDOH, within 72 hours, any discovery of a cybersecurity incident.
    • General hospitals have until October 2, 2025, to implement a written cybersecurity program, designate a Chief Information Security Officer (CISO), perform risk assessments, and adopt multifactor authentication controls that align with industry standards.

    DOWNLOAD

    New York adopts cybersecurity regulations for general hospitals (PDF)

    On October 2, 2024, the New York State Department of Health (NYSDOH) adopted hospital cybersecurity regulations requiring general hospitals in the state to, among other requirements, establish a cybersecurity program based on the hospital’s risk assessment. The regulations also require general hospitals to notify the NYSDOH within 72 hours of a cybersecurity incident. The newly adopted regulations contain revisions to the regulations proposed in November 2023 as part of Governor Hochul’s New York State Cybersecurity Strategy.

    New cybersecurity program requirements for general hospitals

    The adopted regulations require New York general hospitals to: (1) establish within their policies and procedures a cybersecurity program based on the hospital’s risk assessment, (2) maintain records of their cybersecurity systems including audit trails detecting and responding to cybersecurity events that have a reasonable likelihood of materially harming normal operations of the hospital, (3) designate a Chief Information Security Officer (CISO) to enforce the new policies, (4) notify the NYSDOH within 72 hours of any cybersecurity incident, and (5) use risk-based authentication or multi-factor authentication (MFA) controls to protect against unauthorized access to its nonpublic information or information systems.

    Changes to cybersecurity incident reporting timeframe

    Although the final regulations give general hospitals until October 2, 2025 to come into compliance with a majority of the new requirements, the mandate to notify the NYSDOH within 72 hours after the discovery of a cybersecurity incident is effective immediately. (Notably, the 72-hour reporting window is longer than the 2-hour window that the NYSDOH originally proposed.) Like the proposed regulations, a “cybersecurity incident” is defined as an event that: (i) has a material adverse impact on the normal operations of the hospital, (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital, or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems.

    Additional guidance

    Additionally, in its response to public comments, the NYSDOH clarified that the adopted regulations apply only to general hospitals and not to managed care organizations. The NYSDOH also revised the definition of “nonpublic information” to specify that a cybersecurity program must protect, in addition to certain sensitive “business-related information,” protected health information (PHI) and personally identifying information (PII) as defined in the federal Health Insurance Portability and Accountability Act (HIPAA). As a result, a hospital’s cybersecurity program must be designed to protect a broader range of information than HIPAA requires.

    Lastly, with respect to the use of MFA controls, the adopted regulations revised the definition of “multi-factor authentication” to, according to the NYSDOH, more closely align with industry standards. The NYSDOH has indicated that it will be publishing guidance that will map the requirements in the regulations to standards published by the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).

    For more information on the content of this alert, please contact your Nixon Peabody attorney or the authors of this alert.

    Locations

    RochesterAlbanyLong IslandNew York City

    Practices

    HealthcareHealthcare Regulatory & ComplianceHealth Information - Privacy, Security & Data SharingCybersecurity & Privacy

    Industries

    Healthcare

    Insights And Happenings

    • Alert

      New York issues new hospital regulations for patients with behavioral health presentations

      Jan 13, 2025
    • Press Release

      Nixon Peabody advises Health Catalyst in acquisition of cybersecurity provider Intraprise

      Dec 3, 2024
    • Article

      OCR Enforces HIPAA Right of Access: $170K in Penalties for Delayed PHI Access

      Nov 27, 2024
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved