Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

July 18, 2024

NYS Department of Health Publishes Amended Proposed Cybersecurity Regulations for Hospitals

On May 15, 2024, the New York State Department of Health published amended proposed hospital cybersecurity regulations. If adopted, the amended proposed regulations, which were initially published on December 6, 2023, will create a new Section 405.6 of Title 10 (Health) of the New York State Codes, Rules, and Regulations and impose cybersecurity-related requirements on all New York State hospitals.

The amended proposed regulations, if adopted, will require all hospitals licensed under Article 28 of the New York State Public Health Law to adopt a cybersecurity program. The cybersecurity program, which will need to be based on each hospital’s individualized risk assessment, will be required to perform the following core functions:

  1. Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the hospital’s information systems and the continuity of the hospital’s business and operations;
  2. Use defensive infrastructure and the implementation of policies and procedures to protect the hospital’s information systems, the continuity of the hospital’s business and operations, and the nonpublic information stored in those information systems from unauthorized access, use, or other malicious acts;
  3. Detect cybersecurity events; 
  4. Respond to identified or detected cybersecurity events to mitigate any negative effects; 
  5. Recover from cybersecurity events and incidents and restore normal operations and services; and 
  6. Fulfill reporting obligations set out in applicable laws and regulations.

In addition to adopting and implementing a cybersecurity program that meets the requirements set out above, the amended proposed regulations would also require hospitals to adopt specific cybersecurity policies and procedures, designate a chief information security officer, perform vulnerability testing and risk assessments, provide training on the cybersecurity program, develop an incident response plan, and report cybersecurity incidents to the New York State Department of Health no later than 72 hours after determining an incident has occurred. If adopted, hospitals will have one year from the date of adoption to comply with the proposed requirements. Importantly, however, the regulatory provisions that will require cybersecurity incidents to be reported to the New York State Department of Health would not be subject to the one-year implementation timeline; instead, they would become effective immediately upon adoption.

It is important to note that the scope of the proposed regulations extend beyond the protection of “protected health information” required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to cover “nonpublic information,” which encompasses information used to identify a natural person and certain confidential business-related information. The proposed regulations are intended to supplement HIPAA. Therefore, if enacted, hospitals will need to ensure compliance with the requirements under the proposed regulations, which may be more stringent than their current obligations under HIPAA, including those related to risk assessment measures.

The full text of the amended proposed hospital cybersecurity regulations are available on the Department of Health’s website. Attorneys in Barclay Damon’s Data Security & Technology Practice Area are available to assist hospitals with preparing, reviewing, and revising their cybersecurity programs, including policies and procedures, and will continue to monitor any developments and best practices.

If you have any questions regarding the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com; Bridget Steele, counsel, at bsteele@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area or Health & Human Services Providers Team.
 

Featured Media

Alerts

NYS Department of Health Issues Consumer Protection Guidance on Payments for Health Care Services

Alerts

Stay Away From the Debtor? An Overview of the Automatic Stay in Bankruptcy

Alerts

Second Department: Defendants Are Entitled to Collateral Source Hearing for "To-Be Obtained" Insurance Coverage Under the ACA

Alerts

What OMH Providers Need to Know About the Proposed Amendments to the Licensing Regulations in 14 NYCRR Part 551

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Primitivo Robles, Hannibal Wheatley, Valeria Jacobs, Marlelis Hernandez, and Omar Rodriguez—Targeting Businesses in Recent Flurry of Lawsuits

Alerts

Hitting the Reset Button: Second Circuit Decision Highlights Significant Statute of Limitations Issues for New York Foreclosure Plaintiffs

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out