Understanding the New York State Department of Health Cybersecurity Requirements: What it Means for Identity Governance Processes

by | Nov 25, 2024

In October 2024, the New York State Department of Health (NYSDOH) adopted new cybersecurity requirements as part of their regulations for hospitals – a move that signifies “a step toward more prescriptive healthcare cybersecurity requirements” for the healthcare industry. The team at Zilla Security is helping customers understand and implement the NYSDOH cybersecurity requirements, which include specific identity and access management mandates.

We wanted to dig a bit deeper into the specific requirements of the NYSDOH cybersecurity regulations and highlight how hospital IT teams can achieve and track compliance.

What are the NYSDOH cybersecurity requirements?

There’s quite a bit packed into the new requirements. Their intent is to ensure that hospitals across the state “maintain a minimum level of readiness to prepare for, respond to, and quickly recover from cybersecurity incidents.”

Effective immediately, all general hospitals in the state of New York must begin reporting cybersecurity incidents to the NYSDOH no later than 72 hours after an incident has been identified. Additionally, hospitals must comply with specific cybersecurity requirements by October 2025, including:

  • Establishing a cybersecurity program with specific protocols, procedures, and core functions
    • This includes requirements for audit trails and records maintenance and retention; IT staffing; and cybersecurity training and monitoring
    • It also requires hospitals to employ multi-factor authentication, risk-based authentication or other controls to protect against unauthorized access to Nonpublic Information or information systems
    • Hospitals must conduct user access reviews at least annually, including disabling any unnecessary access and promptly terminating access upon an employee’s departure
  • Designating a Chief Information Security Officer
  • Risk assessments and considerations for policies and procedures based on the results

My hospital is HIPAA compliant – What’s the difference?

The NYSDOH regulations are intended to supplement and extend the Health Insurance Portability and Accountability Act (HIPAA) security rules. While HIPAA is focused on safeguarding protected health information (PHI) and personally identifiable information (PII), the state regulations extend that protection to Nonpublic Information – such as “the systems that support the continuity of patient care across the hospital ecosystem.”

The state regulations are focused on ensuring hospitals are resilient against cyber attacks. The ultimate goal is to enhance preparedness for cyber attacks targeting healthcare organizations without prescribing specific technologies, programs, or software.

How Identity Governance Solutions Can Help with NYSDOH Compliance

As hospitals develop and launch their cybersecurity program and roll out governance processes, modern identity governance solutions can help achieve and maintain compliance with these new cybersecurity requirements, as well as develop detailed reports that satisfy audit and evidence requirements. As hospitals look to implement a solution, there are a few specific benefits that an IGA solution like Zilla can provide to support compliance, including visibility into identities and automation for user access reviews. 

Complete Visibility Across the Entire Identity Ecosystem

  • You can’t protect what you can’t see. Gain granular visibility into both the human and non-human identities as the hospital integrates new applications, provisions new users, and conducts access reviews
  • Develop comprehensive audit trails with robust evidence packages to satisfy even the most stringent government and industry audit requirements

Defend Against Unauthorized Access with Automated User Access Reviews

It may seem like a daunting task to add such significant requirements within a hospital in one year (especially with IT budgets as lean as they are) – but it is possible. Zilla can help customers work towards compliance with these new requirements. Book a demo today to learn more!

Author

  • Zilla logo fav

    Zilla is Modern IGA, offering the fastest time-to-value and breakthrough automation built from the ground up for today’s hybrid enterprise.

    View all posts Leader in Identity Governance Automation

Recent Posts

Modern IGA as a System of Record

A Modern Identity Governance & Administration (IGA) solution does more than govern identities—it can also serve as a comprehensive system of record.

Key Takeaways from a Discussion on Modern Identity Governance

Highlights of Zilla’s discussion on the need to modernize identity governance strategies. IGA experts covered the complex nature of IGA, the importance of automation and AI in a modern IGA strategy, and how to address the challenge of non-human identities.