SHIN-NY › CSPP, SCPA & Logging
CSPP, SCPA & Logging Requirements
The documentation, governance, and incident reporting requirements that NY home healthcare agencies must meet and how ShieldForce handles every piece.
Cybersecurity Policies & Procedures
A CSPP (Cybersecurity Policies and Procedures) document is a foundational SHIN-NY requirement. It is the written record that defines how your agency handles cybersecurity, from access control to breach response.
SHIN-NY requires the CSPP to be reviewed and updated at least annually. Leadership must sign off on the policy. During a SHIN-NY audit or incident investigation, your CSPP is the first document requested.
Many home healthcare agencies don't have a CSPP at all, or have one copied from a generic template that doesn't reflect their actual systems. ShieldForce provides SHIN-NY-aligned CSPP templates and customizes them for your agency.
ShieldForce includes: CSPP template, annual review facilitation, and documentation versioning for all plans.
What your CSPP must cover:
Information Security Policy
High-level statement of your organization's commitment to protecting ePHI and systems, signed by leadership.
Roles & Responsibilities
Who is responsible for cybersecurity decisions, incident response, risk assessments, and vendor management.
Access Control Procedures
How users are granted and revoked access, MFA requirements, and least-privilege enforcement procedures.
Acceptable Use Policy
Rules for staff use of devices, email, internet, and clinical systems, including remote work and BYOD.
Incident Response Plan (IRP)
Step-by-step procedures for detecting, containing, eradicating, and recovering from a security incident.
Breach Notification Procedures
Who to call, what to document, and the reporting chain: agency → NYeC → NYS DOH and affected individuals.
Risk Assessment Process
How and how often your organization evaluates risks to ePHI. Aligns with the HIPAA Security Rule mandated risk analysis.
Vendor & BAA Management
Process for reviewing IT vendors, executing BAAs, and monitoring third-party risk throughout the contract lifecycle.
Annual Review Documentation
Record that the CSPP was reviewed, who reviewed it, what changed, and when the next review is scheduled.
SCPA: What Gets Assessed
- Review of existing policies and procedures vs. NIST CSF
- Technical controls evaluation: MFA, patching, encryption, backups
- Vulnerability assessment of network and endpoints
- Log review and monitoring capability check
- Staff security awareness and training status
- Incident response plan review and tabletop exercise (optional)
- Vendor/BAA inventory and third-party risk status
- Final gap report with prioritized remediation plan
Security Controls & Privacy Assessment
An SCPA (Security Controls and Privacy Assessment) is a structured evaluation of whether your security controls are actually working as intended. It goes beyond having a policy; it verifies that the policy is implemented.
SHIN-NY expects participating organizations to conduct regular SCPAs (at minimum annually) and to document the results. Agencies that use a managed security provider like ShieldForce can satisfy this requirement through continuous monitoring, scheduled assessments, and our documented gap reports.
ShieldForce conducts your annual SCPA as part of our ongoing service and provides a written report suitable for SHIN-NY compliance documentation.
What You Must Log and For How Long
SHIN-NY requires organizations to maintain security event logs for all systems connected to the network. Here's what must be logged and the minimum retention periods.
| Log Category | What to Log | Min. Retention |
|---|---|---|
| Authentication Events | All login attempts (successful and failed) to clinical and administrative systems | 12 months minimum |
| Access to ePHI | Who accessed patient records, when, and from where | 6–12 months |
| Admin / Privileged Account Activity | All admin-level commands, configuration changes, and account management actions | 12 months minimum |
| Network & Firewall Logs | Inbound/outbound connections, blocked traffic, VPN sessions | 6 months minimum |
| Application & System Events | Error logs, service restarts, and software change events on SHIN-NY-connected systems | 6 months |
| Email Security Events | Blocked phishing attempts, quarantined messages, and suspicious link clicks | 6 months |
Retention guidance reflects NYS DOH, HIPAA, and NIST best practices. ShieldForce configures log retention to meet or exceed minimums based on your specific environment.
Breach Notification: Who to Call and When
When a breach occurs, SHIN-NY participants follow a defined chain of notification. Understanding this chain before an incident is critical, not after.
Detect & Contain
Your team (or ShieldForce 24/7 SOC) detects the incident and activates the IRP. Contain the incident to prevent further spread.
Internal Escalation
Notify your designated cybersecurity responsible party, leadership, and legal/compliance team. Document the timeline from discovery.
Notify NYeC
Report the incident to the New York eHealth Collaborative (NYeC) per your SHIN-NY participant agreement. NYeC coordinates with NYS DOH.
HIPAA & Individual Notice
Notify affected individuals within 60 days of discovery. Report to HHS/OCR if 500 or more individuals are affected. Post breach notice if required.
Key Timing: 60-Day HIPAA Clock
The HIPAA Breach Notification Rule requires notice to affected individuals no later than 60 days after discovery. NYS law may impose even shorter timelines for certain breach types. Failure to notify is itself a separate violation with penalties up to $50,000 per incident.
Frequently Asked Questions
What is a CSPP in the context of SHIN-NY?▼
What is a SCPA?▼
How long must security logs be retained for SHIN-NY?▼
How quickly must a breach be reported under SHIN-NY?▼
Can ShieldForce write our CSPP for us?▼
Let ShieldForce handle the documentation burden
CSPP templates, annual reviews, log management, and breach notification support all included in ShieldForce managed security plans starting at $35/user/month.