Book a Demo

New York Hospital Cybersecurity Requirements: What Hospitals Must Do to Comply with 10 NYCRR 405.46

The New York State Department of Health (NYSDOH) finalized a sweeping new set of cybersecurity requirements for general hospitals licensed under Article 28 of the New York Public Health Law back in October 2024. Codified as 10 NYCRR 405.46, these rules introduce one of the most prescriptive state-level cybersecurity mandates in the nation — extending well beyond HIPAA’s privacy and security requirements.

The deadline for full compliance was October 2, 2025. Hospitals that have not yet achieved compliance are now subject to NYSDOH enforcement activity, including corrective action plans, civil penalties, and increased audit frequency. The focus has shifted for healthcare cybersecurity management from preparation to demonstrating and maintaining compliance under active regulatory oversight.

Hospitals must also report certain cybersecurity incidents within 72 hours, effective when the new rules were published in October 2024.

This article breaks down:

  • Why hospitals are subject to the new requirements
  • What the regulations mandate
  • The consequences of noncompliance
  • And how FortifyData helps hospitals meet the core expectations

Why New York Hospitals Are Impacted

Cyberattacks targeting healthcare have surged. From ransomware shutting down emergency departments to outages impacting medication dispensing, diagnostics, and patient flow. NYSDOH issued 10 NYCRR 405.46 to strengthen the operational resilience of hospitals responsible for critical, continuous patient care.

Unlike HIPAA, which focuses heavily on safeguarding e/PHI, the NY regulation addresses:

  • Patient safety risks resulting from cyber incidents
  • Operational disruptions affecting clinical or administrative systems
  • Nonpublic information, including internal business and operational data
  • Medical device and third-party dependencies

The intent is clear: hospitals must demonstrate they can prevent, detect, respond to, and recover from cyber incidents in a way that protects patients and ensures continuity of care.

What the Regulation Requires (10 NYCRR 405.46)

Below is a breakdown of the requirements in plain language, following the structure of the law. We also encourage you to review the legalese of the 405.46 Hospital Cybersecurity Requirements yourself from the NY State Codes, Rules and Regulations website.

1. Establish a Risk-Based Cybersecurity Program

Hospitals must formalize a written cybersecurity program tailored to their risk profile. This includes:

  • Annual enterprise-wide risk assessments
  • Policies for preventing, detecting, responding to, and recovering from cyber events
  • Documentation of governance, roles, and responsibilities

This risk-based approach mirrors NIST CSF expectations and is more prescriptive than HIPAA’s general “reasonable safeguards” language.

2. Designate Cybersecurity Leadership

Every general hospital must appoint a:

  • Chief Information Security Officer (CISO), or
  • A qualified designee

The CISO must report cybersecurity activities and findings to hospital leadership, making governance and accountability a core part of the program.

3. Implement Specific Technical and Administrative Controls

Hospitals will have to “use defensive infrastructure” and must adopt several defined security controls to be able to detect unauthorized access, demonstrate resilience and ability to recover from cyber incidents. Some of those controls include:

  • Multi-Factor Authentication (MFA) for system and data access
  • Encryption of data at rest and in transit (or compensating controls when not feasible)
  • Vulnerability scanning and periodic penetration testing
  • Access control policies aligned to least privilege
  • Audit logging, monitoring, and logging retention
  • Continuity and recovery procedures

These requirements align closely with common frameworks like NIST CSF, NIST 800-53, and CIS Controls but are now mandatory for New York hospitals. Having cyber GRC capabilities to manage compliance and understand gaps and failures will be fundamental to achieving and then maintaining compliance.

4. Testing and Vulnerability Assessments

One of the most operationally significant — and often overlooked — parts of New York’s new hospital cybersecurity regulation is the mandate for ongoing testing and vulnerability assessments. Under 10 NYCRR 405.46(f), hospitals must continuously assess the effectiveness of their cybersecurity program and identify vulnerabilities across their information systems. These requirements go beyond HIPAA’s “periodic testing” expectations and establish a far more prescriptive standard of care.

The law requires hospitals to ensure that monitoring, testing, and vulnerability management are risk-based, routine, and tied directly to the hospital’s operational environment.

A. Annual Penetration Testing

Hospitals are required to conduct:

  • Penetration testing of hospital information systems at least once per year, and
  • Testing must be performed by a qualified internal or external party

The regulation emphasizes that penetration testing must align to the hospital’s risk assessment, ensuring that testing focuses on high-risk systems such as:

  • Electronic health records (EHR)
  • Clinical and diagnostic systems
  • Medical device networks
  • Cloud-hosted applications
  • Vendor-managed systems with elevated privileges

This shifts penetration testing from a “best practice” to a mandatory annual requirement for all general hospitals in New York.

B. Vulnerability Scanning & Continuous Monitoring

In addition to annual penetration testing, hospitals must also implement:

  • Automated scans or
  • Manual or automated reviews of systems

These assessments must be reasonably designed to identify publicly known cybersecurity vulnerabilities, such as:

  • Missing patches
  • Exposed services or ports
  • Misconfigurations
  • Unsupported or outdated software
  • Known CVEs impacting hospital technologies
  • Vendor-related vulnerabilities in connected systems

Importantly, the regulation requires that vulnerability testing be aligned to the hospital’s specific risk assessment, meaning high-risk systems should receive more frequent or more intensive scanning.

C. Timely Remediation Based on Risk

Detection alone is not sufficient. Hospitals must also:

  • Remediate vulnerabilities within a timeframe appropriate to the risk they pose

The regulation does not define specific SLAs, but a risk-based approach typically includes:

  • Immediate remediation for critical vulnerabilities with active exploits
  • Short-term remediation for high-risk vulnerabilities tied to essential systems
  • Documented remediation timelines for medium and lower-risk issues
  • Compensating controls when patching is not immediately possible (e.g., medical device constraints)

The expectation is that hospitals not only identify vulnerabilities but also demonstrate consistent, risk-driven remediation practices — supported by documentation that NYSDOH can review during audits.

5. Strengthen Third-Party Risk Management

Vendors, service providers, and connected systems represent a major attack surface. The regulation requires hospitals to:

  • Implement and maintain a third-party risk management (TPRM) program
  • Assess vendors with access to hospital systems or nonpublic information
  • Monitor vendors on a continuous or risk-based schedule
  • Ensure contracts include cybersecurity expectations

This brings hospital vendor oversight in line with financial-services regulations like NY DFS Part 500 and GLBA.

6. Report Cybersecurity Incidents Within 72 Hours

Effective October 2024, hospitals must notify NYSDOH within 72 hours of determining that a “cybersecurity incident” has occurred.

The definition is intentionally broad, covering incidents that:

  • Disrupt or degrade hospital operations
  • Could reasonably be expected to impact operations
  • Deploy ransomware or similar malware into material information systems

This moves healthcare toward the rapid-response model already required in critical infrastructure sectors.

7. Retain Documentation for Six Years

Hospitals must securely retain:

  • Risk assessments
  • Policies
  • Incident response plans
  • Audit logs
  • Testing results
  • Remediation documentation

for no fewer than six years.

This requirement ensures ongoing regulatory visibility and audit readiness.

What Noncompliance Means for Hospitals

While 10 NYCRR 405.46 does not include new standalone fine amounts, it is enforced under the New York Public Health Law (PHL)—the same enforcement structure used for deficiencies in areas like life safety, infection control, and operational compliance. Under this framework, NYSDOH may impose:

Base Civil Penalties

Under PHL § 12 and § 12-b, NYSDOH may impose:

  • Up to $2,000 per violation for a first offense
  • Up to $5,000 per violation for repeat or uncorrected violations
  • Higher penalties when violations are deemed “willful,” negligent, or harmful to patient safety

Because cybersecurity failures can directly endanger patient care, violations related to outages, ransomware events, or failure to report incidents may be treated with heightened severity.

  • Administrative actions
  • Corrective action plans
  • Potential fines
  • Increased audit activity
  • Reputational and operational impacts

Hospitals should assume that compliance with 405.46 will be evaluated similarly to infection control, emergency preparedness, or life safety standards — as an operational requirement tied directly to patient safety.

Escalating Penalties for Repeat Violations

Repeat or persistent noncompliance is where the financial exposure grows quickly.

NYSDOH has authority to:

1. Impose higher per-day penalties

Once NYSDOH issues a Statement of Deficiencies, each day the hospital remains out of compliance can constitute an additional violation.

2. Increase fines up to $5,000 per day

For repeat violations or noncompliance considered harmful to patients or operations, penalties can escalate to $5,000 per day until corrected.

3. Issue “Willful Violation” penalties

Under PHL § 12-b, “willful” violations—such as knowingly failing to report a cybersecurity incident within 72 hours—may trigger:

  • Higher civil penalties
  • Criminal penalties (for certain egregious or intentional violations)

This is significant in the context of incident reporting.

Incident Reporting Failures Carry Special Risk

Because the new regulation requires hospitals to report cybersecurity incidents to NYSDOH within 72 hours, failing to do so can be treated as:

  • A violation for each missed reporting requirement
  • A continuing violation for every day the incident goes unreported
  • A potential willful or negligent act if evidence shows leadership knew but did not report

Repeat failures to report may quickly push an organization into $5,000-per-day penalty territory.

Other Enforcement Actions NYSDOH May Pursue

Alongside financial penalties, NYSDOH may also take actions such as:

  • Corrective Action Plans (CAPs)
  • Revocation or limitation of operating certificates (extreme cases)
  • Increased audit frequency
  • Mandated on-site monitoring
  • Referrals to other state or federal regulators

For hospitals already under operational or financial strain, mandatory corrective measures can be as costly as direct fines.

Why These Penalties Matter More for Cybersecurity

Cyber incidents are no longer viewed purely as privacy incidents — they are now tied to:

  • Patient safety
  • Continuity of care
  • Emergency department readiness
  • Medical device operability
  • Business continuity

This means regulators treat them more like life-safety issues, where repeat violations are aggressively escalated.

New York Hospital Cyber Requirements 10 NYCRR 405.46: How FortifyData Helps Meet Compliance

FortifyData’s unified Cyber GRC platform aligns directly to many of the mandated controls across cyber risk management, policy management, continuous monitoring, vulnerability reduction, and vendor oversight that you will find in NYCRR 405.46 for State of New York Hospital cybersecurity requirements.

Below is a guide to the requirements, and a mapping to how FortifyData’s cyber GRC capabilities can help hospitals obtain compliance with the requirements.

1. Enterprise Risk Assessment & Cybersecurity Program Requirements

Regulatory Need: Written, risk-based cybersecurity program and annual risk assessment

FortifyData Helps With:

  • Automated risk assessments covering technical, vendor, and compliance dimensions
  • Attack surface discovery and continuous updates
  • Business-contextualized risk scoring
  • Executive-level reporting for governance

Hospitals gain a measurable, evidence-driven risk baseline aligned to the regulation.

Need a policy for this? Download our free templates for Cybersecurity Program Policy and Cybersecurity Program Charter.

enterprise-dashboard-demo-co-may2025
fortifydata-dashboard-asm-tight

2. Continuous Monitoring & Vulnerability Management

Regulatory Need: Vulnerability scanning (attack surface management), testing, and ongoing monitoring

FortifyData conducts:

  • Continuous external attack surface monitoring
  • Automated vulnerability discovery and prioritization
  • Risk-based remediation guidance
  • Alerting for emerging exposures

This helps hospitals maintain visibility and quickly address weaknesses.

Need a policy for this? Download our free policy template for vulnerability management.

3. Governance, Reporting & Documentation

Regulatory Need: CISO oversight, documented processes, audit trails

FortifyData Supports With:

  • Centralized evidence repository
  • Reporting dashboards for CISOs, boards, and senior leadership
  • Historical logs of risks, remediations, and decisions

This ensures hospitals maintain the required governance and six-year documentation trail.

Need a policy for this? Download our free policy template for Access Control and Identity Management.

Source: FortifyData, Control Library within the Risk and Compliance Module
blank

4. Third-Party Risk Management (TPRM)

Regulatory Need: Assess and oversee third-party service providers

FortifyData conducts:

  • Automated vendor questionnaires (including SIG)
  • External attack surface assessments and AI-risk scoring of third-party environments (when questionnaires aren’t enough)
  • AI-powered audit report and policy analysis
  • Ongoing vendor monitoring

Hospitals gain a scalable, defensible TPRM program aligned with the regulatory mandates.

Learn more how FortifyData is automating trust in the third-party risk management process.

Need a policy for this? Download our free policy template for Vendor and Third-party Risk Management.

5. Incident Response Support

Regulatory Need: Detect, evaluate, and report incidents within 72 hours

FortifyData Supports With:

  • Real-time alerts across assets and vendors
  • Centralized incident portal with cross-linking among similar incidents
  • Evidence tagging and incident mapping
  • Reporting templates that accelerate regulatory notifications

This shortens investigation and documentation timelines when incidents occur.

Video: See how the incident management module works.

Applications

Next Steps

New York’s hospital cybersecurity regulation represents a major step forward in protecting patient safety and operational resilience across the state’s healthcare system. With rising ransomware attacks, medical device risks, and vendor dependencies, hospitals must take a risk-based, continuously monitored approach to security.

FortifyData provides the platform, automation, and visibility hospitals need to meet the requirements of 10 NYCRR 405.46 — from risk assessments to vendor oversight to continuous monitoring.

Hospitals that begin preparing now will be better positioned for compliance, improved cyber resilience, and smoother NYSDOH oversight in the year ahead.

For a broader view of how FortifyData supports healthcare organizations across HIPAA, HITRUST, and state-level requirements, see our healthcare cyber risk management overview

Schedule a demo with FortifyData to discuss how we can help you meet these 10 NYCRR 405.46 hospital cybersecurity requirements.

Frequently asked questions about 10 NYCRR 405.46

What is 10 NYCRR 405.46 and which hospitals does it apply to?

10 NYCRR 405.46 is a cybersecurity regulation finalized by the New York State Department of Health in October 2024, applicable to general hospitals licensed under Article 28 of the New York Public Health Law. It establishes one of the most prescriptive state-level hospital cybersecurity mandates in the country, requiring hospitals to implement formal cybersecurity programs, designate a CISO, conduct annual risk assessments and penetration testing, manage third-party vendor risk, and report cybersecurity incidents to NYSDOH within 72 hours. The full compliance deadline was October 2, 2025.

How does 10 NYCRR 405.46 differ from HIPAA?

HIPAA focuses primarily on protecting electronic protected health information and uses flexible “reasonable safeguards” language that allows broad interpretation. 10 NYCRR 405.46 is significantly more prescriptive — it mandates specific technical controls including multi-factor authentication, encryption, annual penetration testing, and continuous vulnerability scanning, with defined timelines and documentation requirements. It also extends beyond ePHI to cover nonpublic business and operational data, medical device security, and third-party dependencies. Critically, the NY regulation ties cybersecurity failures directly to patient safety, meaning enforcement parallels life-safety standards rather than privacy standards.

What are the penalties for noncompliance with 10 NYCRR 405.46?

Penalties are enforced under the New York Public Health Law and can include civil penalties of up to $2,000 per violation for a first offense and up to $5,000 per violation for repeat or uncorrected violations. Once NYSDOH issues a Statement of Deficiencies, each day the hospital remains out of compliance can constitute a separate violation — meaning repeat noncompliance can quickly reach $5,000 per day. Willful violations, such as knowingly failing to report a cybersecurity incident within 72 hours, may also trigger criminal penalties. NYSDOH may also pursue corrective action plans, increased audit frequency, and in extreme cases, limitations on operating certificates.

What does the 72-hour incident reporting requirement mean for hospitals?

Effective October 2024, New York hospitals must notify NYSDOH within 72 hours of determining that a cybersecurity incident has occurred. The definition of a reportable incident is intentionally broad — covering incidents that disrupt or degrade hospital operations, could reasonably be expected to impact operations, or deploy ransomware or similar malware into material information systems. Failing to report is treated as a separate violation, and continuing failure to report can be treated as a willful or negligent act, escalating both civil and potential criminal exposure. Hospitals should have documented incident identification and escalation procedures that can trigger the reporting clock accurately and quickly.

What vulnerability management requirements does 10 NYCRR 405.46 impose?

The regulation requires annual penetration testing of hospital information systems by a qualified internal or external party, with testing aligned to the hospital’s risk assessment and focused on high-risk systems including EHRs, clinical and diagnostic systems, medical device networks, and vendor-managed systems. In addition to annual penetration testing, hospitals must implement ongoing vulnerability scanning — automated or manual — to identify publicly known vulnerabilities including missing patches, exposed services, misconfigurations, and known CVEs. Identified vulnerabilities must be remediated within timeframes appropriate to their risk level, with documented remediation timelines and compensating controls when immediate patching is not feasible.

How does FortifyData help New York hospitals comply with 10 NYCRR 405.46?

FortifyData’s platform addresses the core technical and governance requirements of 10 NYCRR 405.46 in a single system. Continuous external attack surface monitoring and automated vulnerability discovery satisfy the vulnerability scanning and ongoing monitoring requirements. The Cyber GRC module supports the written cybersecurity program, policy documentation, and the six-year retention requirement for risk assessments, audit logs, and remediation records. Automated vendor questionnaires and external assessments of third-party environments address the TPRM mandate. Real-time alerting and centralized incident documentation support the 72-hour incident reporting requirement. Executive reporting dashboards provide the governance visibility the CISO designation requirement implies.

Resources

blank

A Comprehensive Guide to Achieving HITRUST Certification for Healthcare Organizations

This comprehensive guide will walk you through the key steps, best practices, and resources required to achieve HITRUST certification.

image for HHS Proposed Rule blog post

HHS’s Proposed HIPAA Security Rule Updates

These updates are aimed at equipping healthcare organizations with more robust tools and practices to safeguard ePHI.

Reasons CISOs Choose FortifyData for Attack Surface Visibility

Top 7 Reasons CISOs Choose FortifyData for Attack Surface Visibility

Wondering why CISOs trust FortifyData for attack surface visibility? Discover seven powerful reasons it stands out in protecting organizations from hidden cyber risks.