Bill > LD2103

This bill requires hospitals to adopt and maintain comprehensive cybersecurity plans, which are defined as processes to prevent unauthorized changes, misuse, or denial of access to electronic information, and to respond to security incidents, which are unauthorized attempts or successes in accessing, using, disclosing, modifying, or destroying information or interfering with computer systems. These plans must align with best practices from federal agencies like the U.S. Department of Homeland Security and the National Institute of Standards and Technology, and comply with federal laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Key provisions include timely notification of cybersecurity intrusions to various parties, backup communication plans to ensure patient care continuity during system disruptions, integration of manually charted records into electronic systems, proper triage of hospital services, a written security incident response plan detailing employee reporting and hospital response procedures, annual cybersecurity training for staff and board members, annual testing of downtime procedures, regular vulnerability scans and penetration testing, timely restoration of communication with the state's health information exchange, review of past security incidents, and post-incident reviews. Hospitals must also involve healthcare workers and their unions in developing these plans, maintain physical copies of downtime paperwork, and undergo annual audits by independent cybersecurity experts, submitting high-level summaries of audit results to the department upon request. In the event of a cybersecurity incident, hospitals must coordinate with the Maine Center for Disease Control and Prevention, and the state will indemnify hospitals for the actions of state personnel involved in the response. The bill also specifies that cybersecurity plans submitted to the department are confidential unless their release would jeopardize safety, and it clarifies that this section can be interpreted more restrictively than federal law, with an effective date of January 1, 2027.