As previously reported, the New York State Department of Health (NYSDOH) adopted hospital cybersecurity regulations in 2024 requiring general hospitals in the state to, among other requirements, establish a cybersecurity program based on the hospital’s risk assessment. NYSDOH gave hospitals a year from the date of initial notice to bring their organizations into compliance. Accordingly, by October 2, 2025, general hospitals must:
- Establish, through policies and procedures, a cybersecurity program based on the hospital’s risk assessment;
- Maintain records of their cybersecurity systems, including audit trails detecting and responding to cybersecurity events that have a reasonable likelihood of materially harming normal operations of the hospital;
- Designate a Chief Information Security Officer (CISO) to enforce the new policies; and
- Use risk-based authentication or multi-factor authentication (MFA) controls to protect against unauthorized access to nonpublic information or information systems.
The regulations also require general hospitals to notify NYSDOH within 72 hours following the discovery of a cybersecurity incident. A “cybersecurity incident” is defined as an event that: (i) has a material adverse impact on the normal operations of the hospital, (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital, or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems.
Further, general hospitals are also required to secure certain ”nonpublic information” and report cybersecurity incidents related to such information. The definition of “nonpublic information” is significantly broader than HIPAA’s definition of protected health information (PHI), as it includes, in addition to PHI, other sensitive business-related information.
Earlier this year, the NYSDOH published guidance regarding cybersecurity incident reporting, including a document that maps New York’s regulatory requirements to existing industry standards.
Ensuring cybersecurity compliance
Although NYSDOH’s cybersecurity regulations do not include a penalty provision, noncompliance is subject to the agency’s general authority to assess penalties of up to $2,000 per violation of its regulations, with substantially increased penalties for repeat violations or violations that result in patient harm. New York hospitals should confirm that they have taken all necessary steps to comply with NYSDOH requirements as the effective date approaches.
Nixon Peabody’s Health Information Technology team regularly helps hospitals and healthcare organizations develop robust privacy and security programs, address regulatory challenges, and ensure that operational goals are met while safeguarding sensitive patient information. We offer comprehensive support to evaluate your compliance strategies, plan staff training, develop incident response plans, and strengthen your organization’s resilience against cyberattacks.