Hospital Cybersecurity Requirements

Section 405.46 - Hospital Cybersecurity Requirements (Effective Date 10/02/2024)

On October 2, 2024, the New York State Department of Health (DOH) published a cybersecurity regulation (10 NYCRR 405.46) for all general hospitals licensed pursuant to article 28 of the Public Health Law.

Cybersecurity Incident Reporting Procedure

To report a material cybersecurity incident, facilities must call the NYS Department of Health's Surge Operations Center (SOC) at 917-909-2676.

The below document is a sample intake questions to be answered when reporting an incident to SOC.

Control Mapping Guidance Document

The mapping document below contains a mapping of the cybersecurity regulations to NIST Cybersecurity Framework 2.0, NIST 800-53 (rev. 5), and Health Industry Cybersecurity Practices (HICP) - Cybersecurity Practices for Medium and Large Healthcare Organizations (Volume 2)

Frequently Asked Questions (FAQs)

1) How can an organization address third-party risks?

The third-party vendor requirements in the regulations are minimum cybersecurity best practices, widely utilized across industries. These requirements are essential to maintain a hospital's security resiliency while contracting with third-party vendors. Hospitals shall conduct risk assessments and further detail third-party security policies and procedures based on their size, scope and security posture. Below are some of the guidelines readily available

  1. HHS Guidelines and Best practices on Supply Chain Risk Management
  2. Health Sector Coordinating Council's Guide on Supply Chain Risk Management
  3. CISA's Supply Chain Risk Management (SCRM) Essentials - is a guide providing leaders and staff with actionable steps on how to start implementing organizational SCRM practices to improve their overall security resilience.
  4. NIST's key practices for Cyber Supply Chain Risk Management

2) How does an organization meet audit trail and records maintenance requirements?

Retaining relevant audit trails should be based on the hospital risk assessment as per the regulations Section (g) (3), "Designs for the security systems and audit trails required pursuant to paragraphs (1) and (2) of this subdivision shall be based on the hospital's risk assessment."

The regulation requires hospitals retain logs from cybersecurity events and incidents that had a material adverse impact on the hospital, and therefore were required to be reported to the Department. Please see section (n) of the regulations for further clarification.

3) When does an organization need to report a cybersecurity incident to the department?

As per the regulations, "(1) The hospital or their designee shall notify the department as promptly as possible, but no later than 72 hours after determining a cybersecurity incident, as defined herein, has occurred, in a manner prescribed by the department..."

Additionally, a cybersecurity incident, as defined in the regulations "means a cybersecurity event that: (i) has a material adverse impact on the normal operations of the hospital, or; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital's information systems."