N.Y. Hospital Cybersecurity Regulations Go Into Effect Oct. 2

Heightened cybersecurity regulations for New York State hospitals go into effect on Oct. 2. 

As a blog post from the law firm Holland & Knight notes, regulated entities in New York are already required to report "cybersecurity incidents," but the balance of the regulations go into effect on Oct. 2.

While immediate 72-hour reporting of cybersecurity incidents to the New York Department of Health began in late 2024, the October 2, 2025, deadline requires hospitals to implement broader cybersecurity programs.

The regulations require hospitals to establish a Chief Information Security Officer role, if one does not exist already, in order to enforce the new policies and to annually review and update them as needed. Additionally, the regulations require the use of multi-factor authentication to access the hospital’s internal networks from an external network.

The regulations require hospitals retain logs from cybersecurity events and incidents that had a material adverse impact on the hospital, and therefore were required to be reported to the Department of Health.

The regulations also mandate that each hospital’s cybersecurity program includes written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility. Hospitals will also be required to establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital and for third-party service providers. 

As Holland & Knight notes, “the regulations do not specify penalties for noncompliance; however, in such cases, the Department of Health retains the authority to impose civil penalties against parties that fail to comply with applicable statutes and regulations. Additionally, the regulations are considered part of the minimum standards for hospitals, meaning noncompliance could lead to enforcement action against their license.”

A blog post from the firm of Phillips Lytle LLP notes that “while the costs of implementing the regulations will depend on the cybersecurity programs currently in place, it is estimated that it may cost between $250,000 and $10 million to initially develop and implement, and about $50,000 to $2 million (or more) to maintain annually, depending on the facility size.”

The Phillips Lytle blog also notes that the regulations do not extend to nursing homes or residential health care facilities, public health centers, diagnostic and treatment centers (including ambulatory surgery centers), outpatient lodges for cancer treatment, dispensary and laboratory or central service facilities serving more than one institution.