On May 15, 2024, the New York State Department of Health (“NYSDOH”) published revisions to the proposed hospital cybersecurity regulations that it first released in November 2023. Most of the requirements of the initially proposed regulations have been retained in the revised version, subject to a few modifications. The revised proposed regulations are subject to a notice and comment period until July 1, 2024 and, if finalized, would come into effect one year after finalization—with the exception of the requirement for hospitals to report security incidents to NYSDOH within 72 hours, which would take effect immediately. To comply, hospitals would need to update their cybersecurity policies and procedures, hire cybersecurity professionals, change their incident response procedures, and revise their planned security risk assessments.

Click here to read the Ropes & Gray client alert for more information on how these proposed regulations will affect New York hospital operations.