New York’s new hospital cybersecurity law expands beyond HIPAA, requiring stronger safeguards, faster reporting, and broader data protection measures.
According to Bank Info Security, hospitals across New York State are now subject to new cybersecurity regulations that go beyond the federal HIPAA Security Rule. The law, which took full effect on October 1, 2025, mandates compliance measures that greatly increase hospitals’ data protection responsibilities.
Originally introduced in 2024, the regulations required hospitals to report cyber incidents to the state health department within 72 hours starting that October. The broader rules now include mandatory multifactor authentication, appointment of a chief information security officer (CISO), annual systemwide risk assessments, and detailed incident response procedures.
Unlike HIPAA, which focuses primarily on protecting patient health information, New York’s law covers a wider range of sensitive data, including personally identifiable information (PII) and business records. Matthew Bernstein, founder of Bernstein Data, said the challenge for hospitals lies in identifying and managing this broader scope of data.
“The requirements as to what to protect and the risk assessments associated with protecting that are really different under this new law,” Bernstein explained. “The important thing is to show the regulator that you have a plan to come into compliance, even if you can't be fully compliant on day one.”
Hospitals are expected to take a proactive, organization-wide approach to risk management. This includes showing continuous progress toward compliance and documenting data governance programs capable of handling both clinical and operational information.
Bernstein says that the state’s prescriptive approach will require hospitals to rethink how they conduct annual risk assessments and track system vulnerabilities. The new law, he said, “demands a higher level of accountability than what most organizations have been used to under HIPAA.”
He also pointed to “data sprawl” as a growing issue, noting that hospitals must now account for sensitive data scattered across multiple platforms, devices, and cloud systems. Effective data governance, he said, will depend on hospitals mapping all the locations where data resides and enforcing consistent controls.
The state introduced these regulations to strengthen healthcare resilience against cyberattacks after several major breaches exposed vulnerabilities not covered under HIPAA.
HIPAA focuses on safeguarding health information, while the New York rules extend protection to personal, financial, and business data, requiring broader governance and faster incident reporting.
Hospitals must demonstrate a clear compliance roadmap and documented progress. Regulators may allow phased compliance if organizations can show active risk management and remediation efforts.
Smaller hospitals may face resource and staffing challenges in meeting requirements like appointing a CISO or conducting annual systemwide risk assessments, prompting some to seek shared or outsourced cybersecurity models.
Yes. Experts suggest that other states may follow New York’s lead by enacting similar legislation to close gaps in healthcare data protection and improve cybersecurity oversight beyond HIPAA standards.