New York hospitals have new cybersecurity requirements
Lexology October 23, 2024
On October 2, 2024, the New York State Department of Health (DOH) published a new cybersecurity regulation (10 NYCRR 405.46) for all general hospitals licensed pursuant to article 28 of the Public Health Law. Although most of the regulation will take effect in one year, on October 2, 2025, the requirement that covered hospitals provide notice to DOH within 72 hours of a “Cybersecurity incident” (which can include third party incidents) went into effect upon publication. The regulation includes elements of both the Health Insurance Portability and Accountability Act (HIPAA) and the New York Department of Financial Services (NYDFS) cybersecurity regulation.
Similar to HIPAA, the new regulation includes unsuccessful attempts to gain unauthorized access as a “cybersecurity event,” but reporting...