Starting October 2, 2024, all New York general hospitals must comply with new cybersecurity regulations designed to protect patient health and personal data. These requirements, part of a state-wide effort introduced by Governor Hochul, mandate hospitals to develop comprehensive cybersecurity programs. Hospitals must appoint a chief information security officer, implement multi-factor authentication, and report cybersecurity incidents within 72 hours. The regulations, which support but do not replace existing HIPAA standards, also establish policies for third-party providers, regular testing, and employee training. Costs for compliance could range from $50,000 to $2 million annually, depending on hospital size, though $650 million in funding has been made available to assist facilities with these expenses.
The regulation stems from the New York State Cybersecurity Strategy, which aims to protect the state’s critical health infrastructure. Hospitals have been facing frequent cyber threats, with significant breaches compromising thousands of patients’ data. These new cybersecurity standards apply only to Article 28 licensed general hospitals, excluding nursing homes and treatment centers, though future expansions are possible.