On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”). The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour reporting of certain incidents.

If approved by the New York State Public Health and Health Planning Council (“PHHPC”) and subsequently finalized, the Proposed Regulations would supplement federal Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule requirements but would be broader in some respects, including with regard to what information is subject to the requirements.

Click here to read Ropes & Gray’s Client Alert on the proposed requirements