NYS DOH to Enforce Cybersecurity Regulation on General Hospitals

October 5, 2025HIPAA News0

The New York State Department of Health (DOH) will implement cybersecurity regulation 10 NYCRR 405.46, which requires all general hospitals in the state to comply with enhanced cybersecurity standards. The regulation took effect in October 2024, with a full compliance deadline set for October 2, 2025. Among its immediate requirements, hospitals must report any material cybersecurity incident to the DOH’s Surge Operations Center (SOC) within 72 hours. These rules represent an expansion beyond existing government regulations such as the HIPAA Security Rule, introducing new expectations around governance, data protection, and incident response.

General hospitals in New York are already obligated to comply with HIPAA’s Security Rule, which focuses on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). The new DOH regulation expands the scope of protected data to include “electronic nonpublic information”. This includes personally identifiable information (PII), which is not limited to patients-and business-related data. As a result, hospitals must now implement measures that safeguard both clinical and administrative data across their networks.

The Cybersecurity Program Requirements

General hospitals need to employ a cybersecurity program, depending on the hospital’s risk evaluation. The cybersecurity rules stipulate a few required components that are beyond HIPAA. The cybersecurity program should determine internal and external hazards that may endanger the safety or integrity of nonpublic information inside the hospital’s networks and that could impact the continuity of the hospital’s operations.

The cybersecurity program should include:

  • Security against unauthorized access must be set up to protect data systems from unauthorized access, misuse, and malicious attacks.
  • Systems must be able to detect, respond to, and recover from cybersecurity incidents to restore normal operations efficiently.
  • Access Controls to sensitive systems must be restricted with regular assessments of user privileges to avoid unnecessary or excessive access.
  • Hospitals must implement and regularly assess controls to minimize risks from phishing, spoofing, and email fraud.
  • Data must be encrypted in transit and at rest, and storage of nonpublic information must be limited. Procedures for the disposal of data no longer required must be secure.
  • Hospitals must use multifactor authentication (MFA), risk-based authentication, or equivalent compensating controls to avoid unauthorized system access.

Unlike HIPAA’s requirement for periodic risk assessments, the new DOH rule particularly requires a yearly risk assessment to determine vulnerabilities to nonpublic data. The whole cybersecurity program will also have a yearly effectiveness assessment.

Hospitals must also perform yearly penetration tests, possibly internally or by using a qualified third-party, to assess the resilience of their systems. All corresponding compliance documentation should be kept for six years, ensuring transparency and traceability in case of audits or incidents.

Each hospital will need a Chief Information Security Officer (CISO), who is a competent executive or senior-level leader with proper training and expertise to supervise the cybersecurity program. The CISO could be backed by qualified cybersecurity staff or a third-party company. This leadership requirement ensures responsibility and continuing oversight of cybersecurity methods throughout the organization.

Experts predict that the DOH will diligently enforce these new guidelines. According to Matthew Bernstein, an information governance strategist with over 20 years of experience counseling healthcare institutions, hospitals that are HIPAA-compliant do not automatically meet DOH requirements, hence should start preparing for compliance. Waiting until the DOH starts active enforcement can subject hospitals to pay financial penalties varying from $1 million to $5 million.

With the 2025 compliance deadline getting close, hospitals should act quickly to develop and carry out compliant cybersecurity frameworks. It is not necessary to perfect systems immediately, but hospitals must show governance and purpose, demonstrating to regulators and stakeholders that they are working actively on compliance.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.