New York State’s Healthcare Cybersecurity Revolution: A Comprehensive Guide to the 2025 Regulations and How SAFE Can Help

Leverage continuous cyber risk monitoring, risk quantification and more advanced tools

By Austin Hechler

On October 2, 2025, New York State’s healthcare sector will enter a new era of cybersecurity. The New York State Department of Health (NYSDOH) has adopted groundbreaking regulations that will significantly enhance the cybersecurity posture of hospitals across the state. As cyber threats continue to evolve and target the healthcare industry with increasing frequency and sophistication, these regulations come as a timely and critical measure to protect patient data and ensure the continuity of healthcare services.

The Urgency of Cybersecurity in Healthcare

The healthcare industry faces severe challenges when it comes to cybersecurity. In recent years, the sector has seen a dramatic increase in cyberattacks. Between 2022 and 2024, the number of individuals affected by healthcare data breaches nearly tripled. Even more alarming, there was a 239% increase in hacking incidents and a 278% rise in ransomware attacks between January 2018 and September 2024.

These statistics underscore the critical need for robust cybersecurity measures in healthcare. The new NYSDOH regulations are a direct response to this escalating threat landscape, aiming to protect not only patient data but also the continuity of critical healthcare services. SAFE’s advanced risk quantification, proactive security measures and continuous risk management can play a pivotal role in helping hospitals meet these stringent requirements effectively and efficiently.

Key Requirements of the New Regulations

The new cybersecurity regulations, codified at 10 NYCRR § 405.46, mandate that all general hospitals licensed under Article 28 of the Public Health Law must implement a comprehensive cybersecurity program.

The key components of this program include:

• Written Cybersecurity Program: Hospitals must establish and maintain a written cybersecurity program designed to protect the confidentiality, integrity, and availability of the hospital’s information systems.
• Chief Information Security Officer (CISO): Each hospital must designate a qualified CISO to oversee and implement the cybersecurity program.
• Annual Risk Assessments: Hospitals are required to conduct comprehensive risk assessments at least annually. SAFE’s risk quantification platform enables organizations to conduct dynamic, real-time risk assessments tailored to evolving threats. The platform implements FAIR (Factor Analysis of Information Risk),  recognized by regulators as the standard for quantitative cyber risk analysis. 
• Cybersecurity Policies: Based on the risk assessment, hospitals must develop and implement specific cybersecurity policies. SAFE provides automated policy recommendations as risk treatment options based on real-time risk analysis.
• Technical SAFEguards: The regulations mandate the implementation of specific technical safeguards to protect against cyber threats. SAFE integrates seamlessly with hospitals’ existing security infrastructure to enhance their defense posture.

Immediate Reporting Requirement

While most provisions come into effect on October 2, 2025, one critical aspect is already in force. As of October 2, 2024, hospitals must report cybersecurity incidents to the NYSDOH within 72 hours of discovery. This rapid reporting requirement underscores the urgency of cybersecurity threats and the need for swift action in the face of potential breaches. SAFE’s cyber risk quantification capabilities enable hospitals to assess the severity of incidents in compliance with regulatory timelines.

A reportable cybersecurity incident is defined as an event that:

• Has a material adverse impact on the normal operations of the hospital
• Has a reasonable likelihood of materially harming any part of the normal operations of the hospital
• Results in the deployment of ransomware within a material part of the hospital’s information systems.

How SAFE Supports Compliance with NYSDOH Regulations

1. Cyber Risk Quantification and Continuous Monitoring

SAFE offers a real-time risk quantification platform that enables hospitals to assess their cyber risk posture dynamically. By leveraging AI-driven analytics, data integrations with security tools, and automated risk models, SAFE provides actionable insights into vulnerabilities and threat actors, ensuring hospitals stay ahead of emerging threats.

2. Role of the Chief Information Security Officer (CISO)

With SAFE’s dashboard, CISOs can:

• Monitor cyber risks in real-time
• Generate compliance-ready reports for regulatory bodies
• Automate risk assessments and mitigation strategies

3. Multi-Factor Authentication (MFA) and Access Controls

SAFE integrates with identity and access management solutions to understand how multi-factor authentication (MFA) and robust access controls affect enterprise risk and ensure compliance with NYSDOH regulations.

4.. Incident Response and Breach Quantification

With NYSDOH mandating 72-hour breach reporting, SAFE provides financial impact quantification to help hospitals assess and report the magnitude of incidents and identify the most effective controls to implement.

The Value of SAFE for Healthcare Organizations

Hospitals need more than just compliance; they need a robust security posture to protect patient data and maintain trust. SAFE provides:

• Financial Quantification: SAFE translates cyber risk into financial terms, allowing hospitals to prioritize investments based on potential impact.
• Continuous Risk Assessment: Unlike static annual assessments, SAFE provides continuous monitoring and risk evaluation, ensuring hospitals stay ahead of regulatory requirements.
• Enhanced Communication with Executives: SAFE’s quantifiable metrics make it easier for CISOs to communicate cybersecurity risks to board members and executives.
• Integration with Existing Security Infrastructure: SAFE seamlessly integrates with EHR systems, network security solutions, and other cybersecurity tools hospitals already use.

Conclusion

The NYSDOH’s new cybersecurity regulations represent a significant step forward in protecting New York’s healthcare infrastructure. With increasing cyber threats targeting hospitals, compliance is not just a regulatory necessity but a crucial aspect of patient safety and operational resilience.

SAFE empowers hospitals to meet these new standards with ease, offering advanced risk quantification, continuous monitoring, and automated compliance reporting. As we approach the October 2, 2025 deadline, hospitals that leverage SAFE’s platform will be well-equipped to navigate the evolving cybersecurity landscape while ensuring compliance with state regulations. Investing in SAFE is not just about meeting regulatory demands; it’s about safeguarding patient trust, ensuring continuity of care, and proactively defending against cyber threats in an increasingly complex digital world.

Learn more about SAFE’s solution for healthcare providers.

See SAFE in action – get a demo.