On October 2, 2024, the New York State Department of Health (DOH) published a new cybersecurity regulation (10 NYCRR 405.46) for all general hospitals licensed pursuant to article 28 of the Public Health Law. Although most of the regulation will take effect in one year, on October 2, 2025, the requirement that covered hospitals provide notice to DOH within 72 hours of a “Cybersecurity incident” (which can include third party incidents) went into effect upon publication. The regulation includes elements of both the Health Insurance Portability and Accountability Act (HIPAA) and the New York Department of Financial Services (NYDFS) cybersecurity regulation.
Similar to HIPAA, the new regulation includes unsuccessful attempts to gain unauthorized access as a “cybersecurity event,” but reporting obligations apply only to “cybersecurity incidents.” Under the new regulation, which mostly aligns with the text proposed in May 2024, a “Cybersecurity incident” is defined as “a cybersecurity event that: (i) has a material adverse impact on the normal operations of the hospital, or; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems.” Notably, hospitals subject to the obligation to notify DOH after a “Cybersecurity incident” are not exempted from their other notification obligations under State or Federal laws or regulations, such as notifications required by HIPAA. The new regulation also would not affect a hospital’s obligations under other laws or regulations that require notification for access or acquisition of personal information, even though the new regulation requires a greater impact on the hospital. The 72-hour notification requirement is similar to the NYDFS regulation.
The new regulation also includes specific requirements for hospitals to implement a compliant cybersecurity program based on the hospital’s annual risk assessment. Below are some of the noteworthy provisions of the new regulation:
- Covered hospitals are required to designate a Chief Information Security Officer (CISO) with adequate experience, expertise, and training. Among other dedicated responsibilities, the CISO must issue an annual written report to the hospital’s governing body with details about the hospital’s cybersecurity program and material cybersecurity risks. This requirement is similar to HIPAA’s and NYDFS’ and also reflects what other regulators are finding to be “reasonable or appropriate security.”
- The cybersecurity program of a covered hospital must be designed to protect the non-public information (NPI) stored on the hospital’s information systems. The broad definition of NPI in the new regulation includes Personally Identifiable Information (PII), Protected Health Information (PHI) as defined under HIPAA, and a hospital’s business-related information, similar to the NYDFS regulation.
- The new regulation imposes that covered hospitals utilize qualified cybersecurity personnel or third-party service providers to manage their cybersecurity program, similar to the NYDFS regulation. When using third-party service providers, covered hospitals must implement written policies to protect the information systems and NPI accessed by such third-party. These policies must contain certain contractual provisions addressing, for example, the encryption of the data at rest and in transit, and the reporting obligation of the third-party service provider to the covered hospital when such third-party is affected by a cybersecurity incident.
- Covered hospitals are required to implement certain specific identity and access management procedures such as multi-factor authentication (MFA), similar to the NYDFS regulation. The new regulation explicitly requires that access to a covered hospital’s internal network from an external network requires MFA, unless the hospital’s CISO approves an alternative in writing. The new regulation further leverages the principle of least privilege by requiring that covered hospitals limit user access privileges to information systems that give access to NPI.
- The cybersecurity program of a covered hospital must include vulnerability assessment, monitoring and testing consistent with the hospital’s risk assessment. Although it is possible that covered hospitals are already subject to HIPAA’s requirement to conduct periodic risk analyses, the new DOH regulation lists detailed requirements prescribing the completion of an annual pen-testing exercise (similar to the NYDFS regulation) and the implementation of an automated vulnerability scanning system. Therefore, covered hospitals may need to revise their risk analysis and management process to comply with the new regulation.
- With respect to service providers, the new regulation requires due diligence as well as general requirements such as warranties, much like the NYDFS regulation. It does not include specific provisions like a HIPAA business associate agreement.
- The new regulation includes record retention requirements for records that relates to systems design, security, maintenance, and to audit trails designed to detect cybersecurity threats. These are to be retained for at least six years, similarly to HIPAA’s data retention obligations for policies and procedures implemented to comply with HIPAA. The regulation also requires that the hospital’s cybersecurity policies address data governance and classification.
- Although HIPAA includes both a “minimum necessary” requirement and a disposal requirement, the new regulation requires a hospital to have policies and procedures for the secure disposal, on a periodic basis, of any nonpublic information identified that is no longer necessary for business operations or for other legitimate business purposes of the hospital. The regulation includes an exception for information that is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Over-retention of data is becoming an increasingly expensive regulatory issue, see our post on the NYDFS $8 million fine here.
- Finally, covered hospitals are required to maintain a written incident response plan with certain prescribed sections similar to those specified by the NYDFS.
OURTAKE
Covered hospitals should be aware that the new regulation creates cybersecurity obligations related not only to PHI but also to certain business information. Although hospitals have until October 2, 2025, to prepare and confirm that the appropriate resources are allocated to their cybersecurity programs, now is the time to gain familiarity and formulate a strategy to comply with the new regulation.
Importantly, covered hospitals using third-party service providers for their cybersecurity programs should start assessing the contractual terms of these agreements to ensure compliance with the new regulation. Incident Response Plans should be updated to address the new 72-hour rule to notify the NYDOH. As the regulation does not address any retroactive effect, this would only apply cyber incidents that are discovered after October 2, 2024.