SHIN-NY › Cybersecurity Requirements

SHIN-NY Cybersecurity Requirements

What New York home healthcare agencies must do to meet SHIN-NY standards and what happens if they don't.

See the Readiness ChecklistGet a Free Compliance Review

What is SHIN-NY?

The Statewide Health Information Network of New York (SHIN-NY) is New York State's health information exchange (HIE) infrastructure, overseen by the New York eHealth Collaborative (NYeC) and funded by NYS DOH. It enables the secure sharing of patient health records across providers statewide.

To participate in SHIN-NY (and in many cases, to qualify for Medicaid reimbursement and state contracts) home healthcare agencies and other providers must meet defined cybersecurity standards. These requirements ensure that ePHI flowing through the network is protected at every endpoint.

There are currently 600+ home healthcare agencies in New York State that participate in or are required to connect to SHIN-NY. Cybersecurity compliance is not optional; it is a condition of participation.

The NIST Framework Behind SHIN-NY

SHIN-NY cybersecurity requirements are aligned to the NIST Cybersecurity Framework (CSF), which organizes security activities into five core functions.

Identify

Asset inventory, risk assessments, vendor risk management, and governance documentation.

Protect

Access controls, MFA, vulnerability management, workforce training, and data encryption.

Detect

Continuous monitoring, log analysis, penetration testing, and security alerting.

Respond

Incident response plans, internal communication procedures, and breach reporting to NYS DOH.

Recover

Disaster recovery plans, business continuity procedures, and post-incident improvement processes.

SHIN-NY Requirements by Category

Who Is Affected

  • All 600+ home healthcare agencies participating in SHIN-NY as Participants or Qualified Entities (QEs)
  • Hospitals, physician practices, and other SHIN-NY-connected providers in New York State
  • Any organization accessing or exchanging electronic protected health information (ePHI) through the SHIN-NY network
  • Third-party vendors and IT providers who support SHIN-NY-connected systems

Governance & Policy

  • Develop and maintain a Cybersecurity Policies and Procedures (CSPP) document
  • Designate a responsible person (or partner) for cybersecurity oversight
  • Conduct annual CSPP reviews and updates
  • Maintain written information security policies aligned with HIPAA and NYS DOH expectations
  • Establish vendor/business associate cybersecurity review processes

Technical Controls

  • Implement multi-factor authentication (MFA) for all users accessing SHIN-NY systems
  • Enforce role-based access controls and least-privilege principles
  • Deploy endpoint protection (antivirus, EDR) on all devices that access patient data
  • Encrypt data at rest and in transit
  • Conduct regular vulnerability assessments and patch management
  • Maintain secure, tested backups with documented recovery procedures

Monitoring & Detection

  • Implement activity logging for systems that access SHIN-NY
  • Retain security logs for a minimum defined period per NYS DOH guidance
  • Monitor for anomalous access and unauthorized activity
  • Conduct or commission regular security assessments (at minimum annually)

Incident Response & Breach Notification

  • Maintain a written Incident Response Plan (IRP)
  • Define roles, responsibilities, and escalation paths for a cyber incident
  • Report breaches to NYS DOH within the required notification window
  • Notify affected individuals per HIPAA Breach Notification Rule
  • Document all incidents and remediation steps for audit purposes

Consequences of Non-Compliance

Financial Penalties

Fines up to $50,000 per violation for failure to meet SHIN-NY and HIPAA cybersecurity standards.

Loss of SHIN-NY Access

Agencies that fail to meet requirements risk suspension from the SHIN-NY network and loss of associated Medicaid billing capabilities.

Reputational Damage

A breach or compliance failure is a public record. Loss of patient trust and referral partner relationships can be lasting.

Frequently Asked Questions

Who must comply with SHIN-NY cybersecurity requirements?
All organizations participating in SHIN-NY as Participants or Qualified Entities (including home healthcare agencies, hospitals, and physician practices in New York State) must meet SHIN-NY cybersecurity standards set by NYS DOH.
What framework does SHIN-NY use for cybersecurity?
SHIN-NY aligns with the NIST Cybersecurity Framework (CSF), covering the five core functions: Identify, Protect, Detect, Respond, and Recover.
Is MFA required for SHIN-NY compliance?
Yes. Multi-factor authentication (MFA) is required for all users who access systems connected to SHIN-NY, including staff at home healthcare agencies.
Does SHIN-NY require a written cybersecurity policy?
Yes. SHIN-NY requires organizations to develop and maintain a Cybersecurity Policies and Procedures (CSPP) document, reviewed and updated at least annually.

Ready to meet every SHIN-NY requirement?

ShieldForce handles your full compliance foundation (CSPP, MFA, endpoint protection, logging, and incident response) starting at $35/user/month.

See Plans & PricingReview the Checklist First