Hospitals face tighter cyber rules
Healthcare cyber expectations are hardening, with New York’s hospital cybersecurity regulation (10 NYCRR 405.46) cited as part of the broadest HIPAA Security Rule updates since 2013. (asimily.com). A separate analysis notes health systems often have rich data but lack the authority structures to turn dashboards into operational action, highlighting implementation gaps. (hitconsultant.net).
Hospitals are moving from loose cyber guidance to hard deadlines, board reporting, and incident rules that can trigger within 72 hours. (regs.health.ny.gov) New York’s hospital cybersecurity rule, 10 NYCRR 405.46, took effect on October 2, 2024 and applies to all general hospitals licensed under Article 28 of the state Public Health Law. The state Department of Health says hospitals must report a material cybersecurity incident “as promptly as possible,” and no later than 72 hours after determining one occurred. (health.ny.gov) The rule requires a cybersecurity program, written policies, a designated chief information security officer, annual reporting to the governing body, annual risk assessments, and controls for identity management, audit trails, and third-party risk. New York’s November 19, 2024 administrator letter said the 72-hour reporting obligation took effect immediately. (health.ny.gov) At the federal level, the U.S. Department of Health and Human Services proposed the biggest update to the Health Insurance Portability and Accountability Act Security Rule since 2013 on December 27, 2024. The proposal would require health plans, clearinghouses, most providers, and business associates to strengthen protections for electronic protected health information. (hhs.gov) Health and Human Services said reports of large breaches rose 102% from 2018 to 2023, while the number of affected people rose 1,002%. In 2023 alone, more than 167 million people were affected by large breaches, according to the agency. (hhs.gov) The New York rule shows what “hardening” looks like in practice: hospitals must use multi-factor authentication, risk-based authentication, or another compensating control to protect against unauthorized access to nonpublic information or information systems. The state also ties the rule to outside frameworks including the National Institute of Standards and Technology Cybersecurity Framework 2.0 and NIST 800-53 Rev. 5. (regs.health.ny.gov, health.ny.gov) The compliance problem is not only technical. In an April 16, 2026 analysis, Salubrum chief executive Osama Usmani wrote that many health systems already have enterprise data warehouses, predictive models, and dashboards, but “the intelligence layer” often lacks a clearly designated owner with authority to change staffing, capacity, or contracting before plans are locked in. (hitconsultant.net) Usmani said analytics in many systems still functions as a reporting layer, with dashboards reviewed quarterly and decisions anchored in precedent and negotiated compromise. He argued that the bottleneck is often sequencing and ownership, not a shortage of data. (hitconsultant.net) That leaves hospital leaders with two overlapping jobs in 2026: meet specific cyber controls that regulators can inspect, and build authority lines that let security and operations teams act on warnings before an outage or ransomware event hits patient care. New York has already put those expectations into regulation, and the federal proposal points in the same direction. (health.ny.gov, hhs.gov)
