NY Department of Health Bolsters Hospital Cybersecurity Regulations

[co-author: Ben Steinberg]

New York hospitals have less than a year to dust off their Health Insurance Portability and Accountability Act (HIPAA) compliance programs and update them to comply with more stringent and detailed state regulations. Last month, the New York State Department of Health (NYSDOH) published a notice of adoption of new hospital cybersecurity requirements, codified at 10 NYCRR § 405.46, aimed at enhancing the protection of patients' protected health information (PHI), as defined in HIPAA, and personally identifiable information (PII) (the Regulations). The Regulations create a number of requirements for general hospitals licensed under Article 28 of the Public Health Law. Regulated entities are expected to come into compliance by Oct. 2, 2025 (i.e., within one year of adoption), with the exception of the new incident reporting obligation discussed below, which is effective as of the adoption date.

Key Provisions

The Regulations indicate that New York hospitals must:

• Conduct a risk assessment, at least annually, concerning the confidentiality, integrity and availability of certain "nonpublic information," as well as the hospital's ongoing business activities and information systems. Nonpublic information includes the hospital's business-related information that would cause a material adverse impact to the business if it was tampered with or disclosed. It also includes PHI or PII. PII is information that identifies a person, along with certain data listed in the Regulations such as a Social Security number, driver's license number or credit card number.
• Establish a cybersecurity program commensurate with the hospital's risk assessment that is designed to identify and protect against cybersecurity risks, as well as detect, respond to and recover from any "cybersecurity events"¹ that take place
• Conduct testing and vulnerability assessments of the cybersecurity program
• Implement a cybersecurity policy addressing 15 listed topics, including data governments, access controls, patient privacy and disaster recovery
• Maintain systems capable of supporting ordinary operations, as well as audit trails designed to detect and respond to certain cybersecurity events; records pertaining to these systems are to be maintained for a minimum of six years
• Designate a chief information security officer (CISO)
• Establish an incident response plan
• Report to the NYSDOH any "cybersecurity incident"² no later than 72 hours after such incident's occurrence

The Regulations also set forth requirements concerning personnel, third-party service providers, training and monitoring, as well as access management such as multi-factor authentication for accessing information systems. There are no specified requirements for exactly how a hospital should achieve compliance. For example, they can choose to subcontract for cybersecurity services in order to mitigate costs of implementation.

What About HIPAA?

Responses to public comments indicate the NYSDOH's intention to supplement HIPAA protections of PHI and PII. The Regulations are coming at a time when U.S. Department of Health and Human Services (HHS) has announced that proposed updates to the HIPAA Security Rule are in process. Hospitals should be mindful of the following distinctions:

• These Regulations add more detail to HIPAA's flexible and scalable security requirements. For example, the Regulations require a hospital to use "multi-factor authentication, risk-based authentication, or other compensating control to protect against unauthorized access to nonpublic information or information systems."
• These Regulations impose a 72-hour timeline for breach notifications to the NYSDOH, while HIPAA requires that notification of breaches of unprotected health information be made to patients within 60 days of discovery. HHS may need to be notified within that timeframe if a breach involves 500 or more individuals in a particular state or jurisdiction. Otherwise, HHS could be notified within 60 days after the end of the calendar year.
• These Regulations apply to "nonpublic information," which includes a hospital's business-related information in addition to PHI and PII. HIPAA does not extend as far.
• HIPAA applies to a wide range of covered entities – namely health plans, healthcare clearinghouses and most healthcare providers – while these Regulations apply only to general hospitals licensed under Article 28 of the New York Public Health Law.
• These Regulations require a CISO who must be a qualified person from either senior- or executive-level staff or from a third party or contract vendor, whereas HIPAA more generally requires designation of a "security official" who is responsible for the entity's security policies and procedures.

Key Takeaways

The new regulations are intended to ensure that general hospitals in New York maintain a minimum level of cybersecurity controls that protect patients' PHI and PII against public disclosure or other improper use such as identity theft and also protect a hospital's business operations. Regulated entities are advised to evaluate current cybersecurity programs and policies with an eye towards achieving compliance in the coming year.

Notes

¹ "'Cybersecurity event' means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse the hospital's information system or information stored on such information system, including but not limited to health records." 10 NYCRR § 405.46(b)(4).

² "'Cybersecurity incident' means a cybersecurity event that: (i) has a material adverse impact on the normal operations of the hospital, or; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital's information systems." Id. at § 405.46(b)(5).