A new regulation related to cybersecurity program requirements for all New York general hospitals licensed under Article 28 of the Public Health Law (PHL) took effect on October 2, 2024. All general hospitals covered by the regulation must comply with the new provisions within one year of the adoption date, except that general hospitals must immediately begin notifying the New York State Department of Health as soon as possible but by no later than 72 hours of any determined cybersecurity incident.
Lawyers at Greenberg Traurig summarize the regulation’s requirements:
- Requires general hospitals to establish a comprehensive program covering risk assessment, response, recovery, and data protection.
- Mandates the creation of specific cybersecurity policies, including asset management, access, control, training, monitoring, and incident response.
- Requires the appointment of a chief information security officer in each general hospital responsible for program oversight and reporting.
- Requires general hospitals to conduct regular cybersecurity testing, including scans and penetration testing.
- Outlines cybersecurity risk assessment requirements that recognize HIPAA-compliant assessments.
- Defines qualifications and skills for cybersecurity staff.
- Sets policies for third-party cybersecurity providers.
- Mandates multi-factor authentication for external network access and risk-based authentication methods.
- Specifies requirements for ongoing training and monitoring.
- Defines incident response plan requirements, which would include roles, contact information, and incident determination.
- Requires general hospitals to report cybersecurity incidents affecting operations within 72 hours of the incident.
- Addresses confidentiality and the applicability of state and federal statutes.
- Allows for third-party or vendor contractors to complete compliance reporting and measures on behalf of the general hospital.
Read more at The National Law Review.
