NYS Department of Health Publishes Amended Proposed Cybersecurity Regulations for Hospitals

On May 15, 2024, the New York State Department of Health published amended proposed hospital cybersecurity regulations. If adopted, the amended proposed regulations, which were initially published on December 6, 2023, will create a new Section 405.6 of Title 10 (Health) of the New York State Codes, Rules, and Regulations and impose cybersecurity-related requirements on all New York State hospitals.

The amended proposed regulations, if adopted, will require all hospitals licensed under Article 28 of the New York State Public Health Law to adopt a cybersecurity program. The cybersecurity program, which will need to be based on each hospital’s individualized risk assessment, will be required to perform the following core functions:

1. Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the hospital’s information systems and the continuity of the hospital’s business and operations;
2. Use defensive infrastructure and the implementation of policies and procedures to protect the hospital’s information systems, the continuity of the hospital’s business and operations, and the nonpublic information stored in those information systems from unauthorized access, use, or other malicious acts;
3. Detect cybersecurity events; 
4. Respond to identified or detected cybersecurity events to mitigate any negative effects; 
5. Recover from cybersecurity events and incidents and restore normal operations and services; and 
6. Fulfill reporting obligations set out in applicable laws and regulations.

In addition to adopting and implementing a cybersecurity program that meets the requirements set out above, the amended proposed regulations would also require hospitals to adopt specific cybersecurity policies and procedures, designate a chief information security officer, perform vulnerability testing and risk assessments, provide training on the cybersecurity program, develop an incident response plan, and report cybersecurity incidents to the New York State Department of Health no later than 72 hours after determining an incident has occurred. If adopted, hospitals will have one year from the date of adoption to comply with the proposed requirements. Importantly, however, the regulatory provisions that will require cybersecurity incidents to be reported to the New York State Department of Health would not be subject to the one-year implementation timeline; instead, they would become effective immediately upon adoption.

It is important to note that the scope of the proposed regulations extend beyond the protection of “protected health information” required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to cover “nonpublic information,” which encompasses information used to identify a natural person and certain confidential business-related information. The proposed regulations are intended to supplement HIPAA. Therefore, if enacted, hospitals will need to ensure compliance with the requirements under the proposed regulations, which may be more stringent than their current obligations under HIPAA, including those related to risk assessment measures.

The full text of the amended proposed hospital cybersecurity regulations are available on the Department of Health’s website. Attorneys in Barclay Damon’s Data Security & Technology Practice Area are available to assist hospitals with preparing, reviewing, and revising their cybersecurity programs, including policies and procedures, and will continue to monitor any developments and best practices.

If you have any questions regarding the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com; Bridget Steele, counsel, at bsteele@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area or Health & Human Services Providers Team.