White Paper

How to Comply with New York State Department of Health’s Section 405.46 of Title 10 NYCRR with Silverfort

The New York State Department of Health (DOH) established 10 NYCRR 405.46 in 1999, initially to safeguard patient rights regarding restraints and seclusion in hospitals. Since then, it has evolved to address growing cybersecurity concerns in healthcare. The current version mandates that healthcare facilities implement strict cybersecurity protocols, such as data encryption, controlled access, and continuous electronic health record (EHR) monitoring. These updates aim to protect patient privacy and secure the healthcare system against cyber threats.

In October 2024, the DOH introduced further updates to 10 NYCRR 405.46, strengthening the regulation’s cybersecurity mandates across New York’s 195 general hospitals. These new rules require hospitals to fully comply by October 2025, though they must report cybersecurity incidents within 72 hours as of October 2024. The regulation is focused on protecting sensitive patient health information (PHI) and personally identifiable information (PII) from cyber threats.

Key elements of the updated mandate include:

  • Cybersecurity Program: A robust program covering monitoring, incident response, training, and policies is now required.
  • Chief Information Security Officer (CISO): Each hospital must designate a CISO, either as an internal role or through a third party, to oversee cybersecurity.
  • Access Control Measures: Hospitals must enforce multifactor authentication (MFA), manage privileged account access, and conduct annual access reviews.
  • Testing and Vulnerability Assessments: Regular testing, including scans and penetration assessments, is required to manage cybersecurity risks.
  • Audit Trails and Records: Hospitals must maintain audit trails to detect and respond to cyber incidents and securely retain records.
  • Incident Response: A detailed response plan is mandatory, with incident reporting to the Department of Health within 72 hours.

Silverfort, a unified identity security platform, assists hospitals with these new requirements through cost-effective, healthcare-focused solutions. By offering tools for MFA, privileged access security, and continuous threat monitoring, Silverfort helps hospitals comply with reporting and identity security standards efficiently.

Download the full whitepaper to discover:

  • In-depth Compliance Insights: Detailed guidance on meeting each specific requirement of New York’s 10 NYCRR 405.46.
  • Practical Solutions for Implementation: Learn how Silverfort’s platform simplifies MFA and access security, customized for healthcare needs.
  • Future-Ready Security Strategies: Gain insights into how to adapt identity security practices to safeguard against evolving cyber threats.

Share this post