Mark Furnish and Jane M. Preston of Greenberg Traurig, LLP write:
A new regulation related to cybersecurity program requirements for all New York general hospitals licensed under Article 28 of the Public Health Law (PHL) took effect Oct. 2, 2024. All general hospitals must comply with the new provisions within one year of the adoption date, except that general hospitals must immediately begin notifying the New York State Department of Health (Department) of any determined cybersecurity incident.
Notification must be made no later than 72 hours of determination of a cybersecurity incident.
Read what the regulation requires in the article, but note who this new regulation applies to and who it doesn’t apply to:
The newly adopted requirements apply only to “general hospitals” as defined under PHL §2801(10). Under New York law, a “general hospital” is narrowly and uniquely defined as a hospital engaged in “providing medical or medical and surgical services primarily to in-patients by or under the supervision of a physician on a twenty-four-hour basis with provisions for admission or treatment of persons in need of emergency care and with an organized medical staff and nursing service, including facilities providing services relating to particular diseases, injuries, conditions or deformities.”
As such, the new regulation does not apply to PHL Article 28 licensed nursing homes or diagnostic and treatment centers (including ambulatory surgery centers). Nor does the new regulation apply to adult care facilities licensed under SSL Article 7. However, when presenting these requirements to the Public Health and Health Planning Council, the Department indicated they would investigate applying some form of cybersecurity policy on other licensed facility types in the future.
Read more at The National Law Review.