EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*hb1123*
HOUSE BILL 1123
J3, S2 4lr3299
CF 4lr2135
By: Delegate Kerr
Introduced and read first time: February 7, 2024
Assigned to: Health and Government Operations
A BILL ENTITLED
AN ACT concerning 1
Maryland Health Care Commission – Health Care Facilities – Cybersecurity for 2
Hospitals 3
FOR the purpose of requiring the Maryland Health Care Commission to adopt minimum 4
cybersecurity standards for hospitals and take certain other actions related to the 5
cybersecurity of hospitals, including supporting hospitals that do not meet the 6
minimum cybersecurity standards; requiring hospitals to comply with the 7
cybersecurity standards adopted by the Commission; requiring the Secretary of 8
Health to consider cybersecurity standards for hospitals when issuing a license to a 9
hospital; and generally relating to cybersecurity for hospitals. 10
BY repealing and reenacting, with amendments, 11
Article – Health – General 12
Section 19–103 13
Annotated Code of Maryland 14
(2023 Replacement Volume) 15
BY adding to 16
Article – Health – General 17
Section 19–113 18
Annotated Code of Maryland 19
(2023 Replacement Volume) 20
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 21
That the Laws of Maryland read as follows: 22
Article – Health – General 23
19–103. 24
(a) There is a Maryland Health Care Commission. 25 2 HOUSE BILL 1123
(b) The Commission is an independent commission that functions in the 1
Department. 2
(c) The purpose of the Commission is to: 3
(1) Develop health care cost containment strategies to help provide access 4
to appropriate quality health care services for all Marylanders, after consulting with the 5
Health Services Cost Review Commission; 6
(2) Promote the development of a health regulatory system that provides, 7
for all Marylanders, financial and geographic access to quality health care services at a 8
reasonable cost by: 9
(i) Advocating policies and systems to promote the efficient delivery 10
of and improved access to health care services; and 11
(ii) Enhancing the strengths of the current health care service 12
delivery and regulatory system; 13
(3) Facilitate the public disclosure of medical claims data for the 14
development of public policy; 15
(4) Establish and develop a medical care database on health care services 16
rendered by health care practitioners; 17
(5) Encourage the development of clinical resource management systems 18
to permit the comparison of costs between various treatment settings and the availability 19
of information to consumers, providers, and purchasers of health care services; 20
(6) In accordance with Title 15, Subtitle 12 of the Insurance Article, 21
develop a uniform set of effective benefits to be included in the Comprehensive Standard 22
Health Benefit Plan; 23
(7) Analyze the medical care database and provide, in aggregate form, an 24
annual report on the variations in costs associated with health care practitioners; 25
(8) Ensure utilization of the medical care database as a primary means to 26
compile data and information and annually report on trends and variances regarding fees 27
for service, cost of care, regional and national comparisons, and indications of malpractice 28
situations; 29
(9) Establish standards for the operation and licensing of medical care 30
electronic claims clearinghouses in Maryland; 31
(10) Reduce the costs of claims submission and the administration of claims 32
for health care practitioners and payors; 33 HOUSE BILL 1123 3
(11) Determine the cost of mandated health insurance services in the State 1
in accordance with Title 15, Subtitle 15 of the Insurance Article; 2
(12) Promote the availability of information to consumers on charges by 3
practitioners and reimbursements from payors; 4
(13) Oversee and administer the Maryland Trauma Physician Services 5
Fund in conjunction with the Health Services Cost Review Commission; [and] 6
(14) Establish policies and standards to protect the confidentiality of patient 7
and health care practitioner information related to legally protected health care as defined 8
in § 4–301 of this article; AND 9
(15) ESTABLISH AND ENFORCE CYBERSECURIT Y STANDARDS AND 10
PRACTICES FOR HEALTH CARE FACILITIES . 11
(d) The Commission shall coordinate the exercise of its functions with the 12
Department and the Health Services Cost Review Commission to ensure an integrated, 13
effective health care policy for the State. 14
19–113. 15
(A) IN THIS SECTION, “HOSPITAL” HAS THE MEANING STAT ED IN § 19–301 16
OF THIS TITLE. 17
(B) THE COMMISSION SHALL : 18
(1) ADOPT MINIMUM CYBERSE CURITY STANDARDS FOR HOSPITALS 19
THAT: 20
(I) PROTECT PRIVATE DATA , SUCH AS PATIENT AND EMPLOYEE 21
RECORDS, HELD BY THE HOSPITAL ; 22
(II) ENABLE A HOSPITAL TO MAINTAIN ROUTINE FUN CTIONS; 23
AND 24
(III) ARE CONSISTENT WITH T HE NATIONAL INSTITUTE OF 25
STANDARDS AND TECHNOLOGY AND CYBERSECURITY AND INFRASTRUCTURE 26
SECURITY AGENCY RECOMMENDATION S FOR HOSPITALS ; 27
(2) REVIEW AND REVISE THE STANDARDS SET UNDER ITEM (1) OF 28
THIS SUBSECTION ON A REGULAR BASIS ; 29
4 HOUSE BILL 1123
(3) PARTICIPATE IN OPPORT UNITIES TO LEARN ABO UT HOSPITAL 1
CYBERSECURITY FROM E XPERT ENTITIES; 2
(4) LEARN FROM THE EXPERI ENCES OF GOVERNMENT AGENCIES IN 3
OTHER STATES THAT SE T MINIMUM CYBERSECUR ITY STANDARDS FOR HO SPITALS; 4
(5) PROVIDE FOR THIRD –PARTY ASSESSMENTS OF HOSPITALS FOR 5
COMPLIANCE WITH MINI MUM CYBERSECURITY ST ANDARDS; 6
(6) ON OR BEFORE JANUARY 1, 2026, AND EVERY 2 YEARS 7
THEREAFTER : 8
(I) COLLECT CERTIFICATION S OF A HOSPITAL’S COMPLIANCE 9
WITH THE MINIMUM CYB ERSECURITY STANDARDS ADOPTED UNDER ITEM (1) OF 10
THIS SUBSECTION ; AND 11
(II) SUBMIT A REPORT TO TH E STATE CHIEF INFORMATION 12
SECURITY OFFICER, OR THE OFFICER’S DESIGNEE; AND 13
(7) SUPPORT HOSPITALS THA T DO NOT MEET THE MI NIMUM 14
CYBERSECURITY STANDA RDS ADOPTED UNDER IT EM (1) OF THIS SUBSECTION T O 15
REMEDIATE VULNERABIL ITIES OR ADDRESS CYB ERSECURITY ASSESSMEN T 16
FINDINGS. 17
(C) EACH HOSPITAL SHALL : 18
(1) (I) COMPLY WITH THE CYBERSECURITY STANDA RDS ADOPTED 19
UNDER SUBSECTION (B)(1) OF THIS SECTION; AND 20
(II) SUBMIT A CERTIFICATIO N OF COMPLIANCE WITH THE 21
STANDARDS AS DIRECTE D BY THE COMMISSION; 22
(2) DESIGNATE A CHIEF INF ORMATION SECURITY OF FICER TO 23
OVERSEE COMPLIANCE W ITH THE REQUIREMENTS OF T HIS SECTION; 24
(3) IMMEDIATELY REPORT A CYBERSECURITY INCIDE NT TO THE 25
COMMISSION, RELEVANT LAW ENFORCE MENT AGENCIES , AND HOSPITAL 26
ADMINISTRATORS ; 27
(4) MAINTAIN A CYBERSECUR ITY INCIDENT RESPONS E PLAN AND 28
TEST THE PLAN AT LEA ST ANNUALL Y; AND 29
(5) MAINTAIN A MOBILE DEV ICE MANAGEMENT PROGR AM THAT: 30 HOUSE BILL 1123 5
(I) IS CONSISTENT WITH FE DERAL GUIDANCE ; 1
(II) INCLUDES AN ENTERPRIS E MOBILE PLATFORM ; AND 2
(III) INCLUDES A MOBILE THR EAT DEFENSE PROGRAM . 3
(D) THE SECRETARY SHALL CONSI DER THE STANDARDS ADOPTED UN DER 4
THIS SECTION WHEN IS SUING A LICENSE TO A HOSPITAL. 5
SECTION 2. AND BE IT FURTHER ENACTED, That it is the intent of the General 6
Assembly that the Maryland Health Care Commission work with the Cybersecurity and 7
Infrastructure Security Agency and the Office of Security Management to improve the 8
Commission’s capacity to implement the provisions of this Act. 9
SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect 10
October 1, 2024. 11