Every general hospital in New York State is now experiencing a significant shift in their cybersecurity requirements. As of October 2, 2024, the New York State Department of Health has introduced comprehensive amendments to Part 405.3 that mandate stronger cybersecurity controls for all 195 general hospitals in the state. Hospitals that are required to comply must do so by October 2, 2025.
These new regulations mandate that all general hospitals implement advanced cybersecurity programs and follow new incident reporting protocols, including a 72-hour window for reporting significant cybersecurity incidents. In today’s healthcare landscape, where all systems and services manage everything from patient records to critical care equipment, these requirements represent an important step toward protecting the healthcare infrastructure. Let’s explore what these changes mean for general hospitals and how Silverfort can help.
Understanding 10 NYCRR 405.46
Introduced by the New York State Department of Health (DOH) in 1999, 10 NYCRR 405.46 initially focused on protecting patient rights in hospital settings, particularly regarding the use of restraints and seclusion. In response to the increasing integration of technology into healthcare operations, the regulation evolved to address the increasing risk of cyber attacks against healthcare data and systems.
According to 10 NYCRR 405.46, healthcare facilities are required to implement comprehensive cybersecurity measures to protect sensitive patient information and critical hospital infrastructure. Up until October 2024, these measures included data encryption, access controls, and continuous monitoring of electronic health records (EHRs). This ensured that hospitals maintained rigorous data protection standards, reinforcing both patient privacy and healthcare system resilience against cyber threats.
By mandating such proactive cybersecurity standards, New York State supported hospitals in upholding both the privacy rights and safety of their patients and highlighted their commitment to adapting healthcare regulations in response to emerging cybersecurity challenges.
New York State’s New Cybersecurity Mandates for Hospitals: 10 NYCRR 405.46
The New York State Department of Health announced in early October 2024 new regulations to 10 NYCRR 405.46, mandating stronger cybersecurity protections across New York’s 195 general hospitals.
Full compliance is required by October 2, 2025, though hospitals must begin reporting
cybersecurity incidents within 72 hours as of October 2, 2024. This regulation targets protection
for patient health information (PHI) and personally identifying information (PII) against cyber
threats.
Key Components:
- Cybersecurity Program: Hospitals must implement a robust cybersecurity program that
includes network monitoring, incident response, training, and policy development. - Chief Information Security Officer (CISO): Hospitals are required to appoint a CISO,
either as a direct employee or a third-party contractor, to oversee cybersecurity
measures. - Testing and Vulnerability Assessments: Regular testing, including scans and penetration
assessments are required to manage cybersecurity risks. - Audit Trails and Records: Hospitals must maintain audit trails to detect and respond to
cyber incidents and securely retain records. - Incident Response: A detailed response plan is mandatory, with incident reporting to
the Department of Health within 72 hours. - Access Control Measures: Requirements include enforcing multifactor authentication
(MFA) for external systems, limiting privileged account use, annual access reviews, and
tailored cybersecurity training.
Mandates and State Support:
- Annual Access Review: Hospitals must annually review and remove unnecessary user access, posing challenges for legacy accounts.
- Funding and Insurance Impact: New York has allocated $500 million to support
compliance, with potential impacts on cyber insurance terms.
Through these mandates, New York aims to strengthen healthcare cybersecurity and support
hospitals in protecting patient data from evolving cyber threats.
Resolve Every 10 NYCRR 405.46 Identity Security Requirement with Silverfort
Silverfort equips hospitals to meet New York’s new cybersecurity mandates with efficient, cost-effective identity security capabilities tailored to healthcare environments. By integrating Silverfort’s key capabilities into your cybersecurity program, you will be able to check the box for each NYRR 405.46 requirement by:
- Extending MFA protection to command-line access, legacy apps, IT infrastructure, and other critical resources that couldn’t be protected before.
- Applying strong security access controls by enforcing MFA across all sensitive resources, ensuring only authorized users can access critical systems and data
- Enforcing MFA or access block policies on all privileged users, both human admins and service accounts ensuring they have access only when necessary is a key component of privileged access security.
- Continuously monitor all access requests to detect anomalies and prevent malicious access in real-time.
- Detecting and responding to identity threats such as privilege escalation and lateral movement attacks and responding automatically with real-time blocking.
With Silverfort’s rapid incident detection, hospitals can meet the 72-hour reporting requirement by quickly identifying cybersecurity incidents. Furthermore, Silverfort supports comprehensive risk assessments and offers valuable tools that assist newly appointed CISOs in managing comprehensive security programs.
Designed with healthcare environments in mind, Silverfort addresses industry-specific threats and prepares hospitals for future regulations by implementing scalable identity security controls aligned with security best practices.
Download our white paper to learn more about how Silverfort can assist you in meeting the requirements of 10 NYCRR 405.46 or schedule a call with one of our experts.