The healthcare sector has seen an alarming uptick in cybersecurity incidents, including ransomware attacks, in recent years. The New York State Department of Health (Department) published the new cybersecurity regulations governing “general hospitals” and by requiring that a healthcare provider spend $2.25 million to improve its internal cybersecurity program as part of its settlement of cybersecurity breach claims.
Effective immediately, general hospital facilities in New York must report cybersecurity incidents to the Department “as promptly as possible, but no later than 72 hours after” determining a cybersecurity incident has occurred, without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
Beginning in October 2025, the Regulations will require that New York hospitals: establish a cybersecurity program within the hospital’s policies and procedures, implement cybersecurity policies that are based on the facility’s risk assessment and that address a minimum set of topics set forth in the Regulations, conduct an annual risk assessment etc.
Based on the new cybersecurity Regulations and New York State officials’continued attention to the uptick in cybersecurity concerns in the healthcare sector, hospitals and providers in the state should remain prepared for robust enforcement.