The New York State Department of Health (DOH) has published a new cybersecurity regulation (10 NYCRR 405.46) – and it represents a major turning point for healthcare entities.
Hospitals and health systems within the state must now implement a range of measures to reinforce protections for patient data:
- Regulators expanded the scope of data protection to require protection for Personally Identifiable Information (PII) alongside Protected Health Information (PHI) and other business-related data.
- A breach must now be reported within 72 hours, whereas HIPAA requires within 60 days.
- Risk assessments must now be conducted at least annually.
- CISOs will be required to provide a written report annually to their hospital’s governing body with details about the organization’s risk profile.
In this article, our compliance experts unpack exactly what these new regulations mean for affected entities – and how they must respond.
3 Ways Hospitals and Health Systems Must Adapt
Under NY’s new regulations, affected entities must implement enhanced security measures to protect both electronic health records (EHRs) and sensitive patient data, as these two categories often involve different types of information. While EHRs contain detailed clinical and medical data, sensitive patient data can also encompass demographic information, financial records, and insurance details—each requiring distinct levels of protection.
Our experts break the new requirements for NY hospitals and health systems into three clear categories of action:
1. Comprehensive Risk Assessments
Organizations are now required to perform thorough and ongoing risk assessments to identify and address potential vulnerabilities across all systems handling patient information. These assessments should encompass every layer of the organization’s technology stack, from network infrastructure to individual applications storing or processing electronic health records (EHRs) and other forms of sensitive patient data.
Key areas to evaluate include:
- Network Security: Evaluate the security of internal and external network connections, assessing firewall configurations, intrusion detection systems, and vulnerability scanning routines. Ensure that network segmentation is in place to isolate sensitive data from less secure network areas and reduce the risk of lateral movement by attackers.
- Data Encryption: Review and enhance encryption protocols for both data at rest and data in transit. This includes assessing the strength of encryption keys, implementing robust key management practices, and ensuring that all sensitive information, including EHRs and other patient records, is encrypted according to the latest standards to maintain confidentiality.
- Access Controls and Identity Management: Assess the adequacy of access control measures, verifying that sensitive patient data is accessible only to authorized individuals. This involves implementing multi-factor authentication, role-based access controls (RBAC), and secure authentication methods that limit data exposure. Regularly audit access logs to identify and address any anomalies that might indicate unauthorized access. Strict access controls must be enforced, ensuring that only authorized personnel can access sensitive data. Multi-factor authentication (MFA) and robust user verification processes are emphasized to mitigate the risk of unauthorized access.
- Endpoint Security: Evaluate the security posture of all endpoints, including computers, mobile devices, and servers that connect to the network. Ensure that these endpoints have up-to-date antivirus and anti-malware software, enforce device encryption, and apply strict policies on software updates to mitigate risks from outdated or vulnerable applications.
- Third-Party Risk Management: Review the security practices of third-party vendors who may access or process patient data on behalf of the organization. This includes conducting audits, ensuring compliance with contractual security obligations, and integrating third-party risk assessment results into the overall risk profile of the organization.
2. Develop a Robust Incident Response Plan
It is essential for organizations to develop and maintain a detailed incident response plan (IRP) that outlines precise actions to be taken during a cybersecurity event to minimize potential damage, protect patient data, and ensure compliance with regulatory requirements. The IRP should address the entire incident lifecycle, from detection through to post-incident analysis, and must incorporate the newly mandated 72-hour breach reporting requirement specific to New York’s healthcare sector. Key components of a robust incident response plan include:
- Incident Response Team (IRT) Designation: Appoint a specialized incident response team, including representatives from IT, legal, compliance, communication, and senior management. Assign clear roles and responsibilities within this team, ensuring each member understands their specific tasks and has received comprehensive training on the IRP.
- Incident Identification and Classification: Define protocols for identifying and classifying incidents by severity and impact. Include a list of common cyber threats (e.g., ransomware, phishing attacks, insider threats) and develop criteria for escalating incidents based on their potential effect on data integrity, system functionality, and patient safety.
- Incident Response Procedures: Document step-by-step response procedures for each type of incident. For example, detail containment, eradication, and recovery processes for ransomware attacks include protocols for securing affected systems, isolating compromised data, and preventing further unauthorized access.
- Communication Plan: Develop a structured internal and external communication plan to inform relevant stakeholders, including employees, patients, regulatory authorities, and possibly the public. Designate a spokesperson to handle external communication and prepare templates for breach notifications that comply with legal and regulatory standards.
- 72-Hour Breach Reporting Compliance: Update the IRP to align with the new 72-hour reporting requirement for breach incidents in New York’s healthcare environment. Ensure the response team understands this timeframe and outlines a fast-tracked reporting process that includes gathering incident details, notifying appropriate authorities, and preparing documentation within this strict window.
- Training and Awareness: Conduct regular training sessions to ensure all employees are aware of the IRP and know how to recognize and report potential incidents. Include role-specific training for response team members and regular refreshers for all staff to maintain high readiness levels.
- Regular Testing and Drills: Schedule frequent testing of the IRP through tabletop exercises, simulated breach scenarios, and live drills. Test different types of incidents to validate the effectiveness of response procedures and identify areas for improvement. After each exercise, a post-mortem analysis will be conducted to update and strengthen the plan.
- Plan Review and Updates: Regularly review and revise the IRP to incorporate lessons learned from past incidents, changes in regulatory requirements, and advancements in cybersecurity best practices. Document all updates and ensure the incident response team and relevant staff are informed of any modifications.
3. Implement Comprehensive Security Program Management
Organizations are required to establish a detailed GRC practice that aligns their cybersecurity policies and practices with both industry standards and regulatory requirements. This framework should clearly define governance structures, assign accountability, and create policies that guide the organization’s approach to risk management and compliance. Key elements of a robust GRC framework include:
- Governance: Clearly define roles and responsibilities within the organization to ensure accountability in managing cybersecurity. This includes designating a Chief Information Security Officer (CISO) or equivalent leader responsible for cybersecurity strategy, policy implementation, and adherence to compliance requirements. Establish a governance committee that oversees cybersecurity initiatives, reviews policy updates, and provides regular reports to senior management and the board.
- Risk Management: Develop a structured approach to identifying, assessing, and managing cybersecurity risks across the organization. This involves conducting risk assessments that prioritize high-risk areas, evaluating the potential impact on the organization, and implementing controls to mitigate identified risks. The risk management process should be dynamic, adapting to new threats and vulnerabilities as they emerge.
- Compliance Controls: Integrate comprehensive compliance controls that ensure adherence to all relevant legal and regulatory requirements, including New York’s new cybersecurity regulation, as well as HIPAA, HITECH, and other state-specific cybersecurity mandates. This includes developing detailed policies for data handling, incident response, access management, and third-party risk. Regularly update policies to reflect changes in the regulatory landscape and ensure alignment with industry standards such as NIST or ISO.
- Continuous Audits and Monitoring: Implement continuous audit processes to assess the effectiveness of security controls and ensure compliance with established policies. This involves scheduled internal audits, independent third-party audits, and continuous monitoring of systems for any deviations from policy or signs of potential breaches. Audit results should be documented, reviewed by leadership, and used to guide improvements in security posture.
- Policy Management and Training: Develop and maintain a comprehensive set of cybersecurity policies that detail security practices across the organization. Ensure these policies are accessible and regularly updated. Additionally, regular training sessions should be conducted for employees to reinforce policy compliance, inform them of any updates, and educate them on best practices in cybersecurity.
- Documentation and Reporting: Maintain clear documentation of all GRC activities, including audit findings, risk assessment reports, compliance checklists, and incident response actions. This documentation is critical for regulatory reporting, internal review, and continuous improvement efforts, allowing the organization to demonstrate compliance and readiness to external auditors.
Comparison Matrix: HIPAA Security Rule vs. New York’s Cybersecurity Regulations (2024)
| Aspect | HIPAA Security Rule | New York Cybersecurity Regulations (2024) |
| Applicability | National, applies to PHI | Specific to NY healthcare entities, broader scope of data |
| Risk Management | Periodic risk assessments | Continuous risk assessments and monitoring |
| Incident Reporting | 60-day reporting for breaches | 72-hour breach reporting requirement |
| Encryption | Addressable for ePHI | Required for all sensitive healthcare data |
| Third-Party Vendor Risk Management | Less emphasis | Strong emphasis on third-party vendor management |
| Governance and GRC Framework | Basic governance framework | Robust GRC with continuous compliance checks |
| Enforcement | Federal (HHS/OCR) | State-level enforcement (NY DFS or others) |
| Penalties | Up to $1.5 million per year per violation | Significant state penalties and potential legal actions |
The Shape of Things to Come: New Regulations Signal the Future
New York is the first state to implement such extensive new regulations, but it is unlikely to be the last. Instead, we expect these changes to be a template for wider compliance upheavals in the future – and the next article in this series will explore what that could mean for the wider healthcare industry.
