New York’s new hospital cybersecurity law expands beyond HIPAA and introduces tougher safeguards, faster reporting timelines, and broader data protection obligations.
What happened
Bank Info Security reports that hospitals across New York State are now operating under cybersecurity rules that exceed the requirements of the federal HIPAA Security Rule. The law took full effect on October 1, 2025, and brings a set of compliance expectations that substantially expand hospitals’ responsibilities.
The regulations were first introduced in 2024 and required hospitals to begin reporting cyber incidents to the state health department within 72 hours, that October. Now, the full framework includes mandatory multifactor authentication, the designation of a chief information security officer (CISO), annual systemwide risk assessments, and more detailed incident response processes.
Going deeper
While HIPAA concentrates on protecting patient health information, New York’s law covers a wider set of sensitive data, including personally identifiable information and business records. Matthew Bernstein, founder of Bernstein Data, noted that the increased scope creates new challenges for hospitals as they work to understand and map all the data they handle.
“The requirements as to what to protect and the risk assessments associated with protecting that are really different under this new law,” Bernstein said. “The important thing is to show the regulator that you have a plan to come into compliance, even if you can't be fully compliant on day one.”
Hospitals are expected to demonstrate an enterprise-level approach to risk management, documenting their progress and showing that data governance programs can support both clinical operations and administrative workflows.
What was said
Bernstein noted that the state’s prescriptive model will likely change how hospitals approach their annual risk assessments and vulnerability tracking. The law, he said, “demands a higher level of accountability than what most organizations have been used to under HIPAA.”
He also pointed to “data sprawl” as an ongoing challenge, explaining that hospitals now must identify sensitive data across various platforms, devices, and cloud environments. Strong data governance, he said, will depend on whether hospitals can map where information lives and apply consistent controls across all those locations.
FAQs
Why did New York introduce new cybersecurity rules for hospitals?
The state implemented these rules after a series of healthcare breaches revealed gaps in protections that HIPAA does not address.
How do these regulations differ from HIPAA?
HIPAA focuses on health information. New York’s rules extend to personal, financial, and business data and require broader governance and quicker incident reporting.
What happens if hospitals cannot meet full compliance immediately?
Organizations must show that they have a defined plan and measurable progress. Regulators may allow phased compliance if hospitals demonstrate ongoing risk management efforts.
How do the new rules affect smaller or rural hospitals?
Smaller organizations may struggle with staffing or resource demands, such as appointing a CISO or conducting annual systemwide assessments, which is why some are considering shared or outsourced cybersecurity services.
Could New York’s law influence other states?
Industry experts believe other states may take similar steps to close gaps in healthcare data protections and introduce stronger requirements than HIPAA alone.
Farah Amod
