Cybersecurity Regulations for Hospitals

Understanding New York’s New Cybersecurity Regulations for Hospitals

New York State has introduced comprehensive cybersecurity requirements for general hospitals, mandating stronger protections and quick incident reporting. The new regulations require hospitals across the state to report any cybersecurity incidents to the New York State Department of Health within 72 hours of discovery, a shift that may signal more prescriptive cybersecurity standards for healthcare nationwide.

Thank you for reading this post, don't forget to subscribe!

Beyond the 72-hour reporting requirement, which took effect on October 2, 2024, hospitals must implement key cybersecurity measures, such as multifactor authentication and a robust incident response plan, by October 2025. These regulations currently apply only to general hospitals, excluding other healthcare facilities like nursing homes and diagnostic centers.

Cyberattacks, especially ransomware, have posed increasing threats to healthcare organizations of all sizes. An October 2024 report from Microsoft revealed a 300% rise in ransomware attacks in the sector since 2015, highlighting the healthcare industry’s vulnerability despite available guidance and emerging regulations.

What sets the New York regulations apart is their emphasis on specific security measures to address cyber threats, complementing existing HIPAA requirements. Governor Kathy Hochul emphasized the need for a unified cybersecurity approach, especially for hospitals, stating in a press release that these regulations “set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

As your facility deals with new health regulations, Tectonic is here to help. Contact us today.