Cyber Countdown: New York Hospitals Face New Data Security Mandates | Insights

The time has come. Last year, the New York State Department of Health (DOH) published a notice of adoption of new hospital cybersecurity requirements, now codified at 10 NYCRR § 405.46 (the Regulations), enhancing the protection of patients’ data that already existed under the Health Insurance Portability and Accountability Act (HIPAA). Regulated entities in New York are already required to report “cybersecurity incidents,” but the balance of the Regulations go into effect on Oct. 2, 2025.

The Regulations add a series of additional specific requirements for New York hospitals that, in many cases, are more detailed than HIPAA. For example, while HIPAA requires hospitals to appoint a “security official,” the New York law requires them to designate a “chief information security officer (CISO).” The HIPAA rules simply say that the security official is responsible for developing and implementing required policies and procedures. In the New York Regulations, the CISO, or a qualified designee, must review, assess, update and attest each year to written procedures, guidelines and standards regarding data security.

Additionally, the CISO must review and approve certain compensating controls when encryption is infeasible. The Regulations also require hospitals to conduct annual risk assessments and develop cybersecurity programs designed to identify, protect against, respond to and recover from any “cybersecurity events.”

Regulated hospitals should review their current compliance and cybersecurity programs to ensure they can be brought into compliance in time for the Oct. 2, 2025, effective date. The Regulations do not specify penalties for noncompliance; however, in such cases, the DOH retains the authority to impose civil penalties against parties that fail to comply with applicable statutes and regulations.¹ Additionally, the Regulations are considered part of the minimum standards for hospitals, meaning noncompliance could lead to enforcement action against their license.

For more on the Regulations taking effect, see Holland & Knight’s previous Healthcare Blog post, “NY Department of Health Bolsters Hospital Cybersecurity Regulations,” Nov. 21, 2024. Holland & Knight will continue to monitor for any new developments in the Regulations or enforcement thereof.

Notes

¹ See N.Y. Pub. Health Law § 12.