New York and New Jersey are pioneering state-level cybersecurity mandates that exceed federal requirements, establishing models other states may follow. New York's regulation requires all Article 28 hospitals to implement formal cybersecurity programs, appoint CISOs, perform risk assessments and report material incidents within 72 hours - with full compliance required by October 2025. New Jersey's Statewide Information Security Manual mandates similar NIST-aligned controls for public entities and state-contracted vendors, with voluntary adoption encouraged for private healthcare organizations. Both states align their frameworks with HIPAA Security Rule proposals, NIST 800-53 and HHS Cybersecurity Performance Goals, positioning compliant organizations ahead of potential federal requirements while rural hospitals struggle with limited budgets and legacy systems.

In this insightful discussion, the panelists will discuss:

• Understanding New York's Article 28 hospital requirements and 72-hour incident reporting obligations;
• Navigating New Jersey's NIST-based framework and voluntary participation pathways for private entities;
• Preparing for multi-state compliance as other jurisdictions adopt similar regulations.