New York Governor, Kathy Hochul, recently announced proposed cybersecurity rules for New York hospitals, which are due to be imminently published in the State Register on December 6, 2023, subject to approval by the Public Health and Health Planning Council.  The Governor’s press release indicates the proposed regulations, if enacted, will require New York hospitals to meet at least the following requirements: 

  • Establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks;
  • Develop a response plan for potential cybersecurity incidents, including notification to the appropriate parties;
  • Run tests of the response plan to ensure that patient care continues while systems are restored back to normal operations;
  • Adopt written procedures, guidelines, and standards to develop secure practices for in-house applications;
  • Establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital;
  • Designate a Chief Information Security Officer to enforce these policies and to annually review and update them as needed; and
  • Use multi-factor authentication to access the hospital’s internal networks from an external network.

The proposed regulations have not officially been published, but the text currently under consideration by the Public Health and Health Planning Council is available here (see pages 31-62).  Once the proposed regulations are published in the State Register, they will likely be subject to a 60-day public comment period.

While HIPAA compliance is nothing new for hospitals, it is the regulatory floor with respect to cybersecurity best practices. Therefore, New York hospitals should stay attuned to these proposed regulations which will likely require investment in more stringent administrative and technical security safeguards.

Epstein Becker Green will be closely monitoring these developments and will be publishing updates as details emerge.  For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, or data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post. Read more about our expansive capabilities and offerings here.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.