EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0691*
SENATE BILL 691
S2, J3, J5 5lr0886
By: Senator Hester
Introduced and read first time: January 26, 2025
Assigned to: Finance and Education, Energy, and the Environment
A BILL ENTITLED
AN ACT concerning 1
Cybersecurity – Healthcare Ecosystem 2
FOR the purpose of requiring the Maryland Health Care Commission and the Maryland 3
Insurance Administration to include a cybersecurity expert as staff to perform 4
certain functions and submit to the State Chief Information Security Officer a report 5
on the cybersecurity practices and policies of certain healthcare ecosystem entities 6
on a certain basis; requiring healthcare ecosystem entities to take certain actions 7
related to cybersecurity, including adopting and implementing certain cybersecurity 8
standards, undergoing a third–party cybersecurity audit on a certain basis, and 9
reporting cybersecurity incidents to the State Security Operations Center in the 10
Department of Information Technology; requiring the Center to notify certain 11
agencies of a cybersecurity incident reported under this Act; requiring the 12
Commission to convene a workgroup to review cybersecurity practices, threats, 13
responses to disruptions, and emerging issues in the healthcare ecosystem; requiring 14
the Commission to convene a workgroup to study and make recommendations to 15
improve the cybersecurity of the healthcare ecosystem; and generally relating to 16
cybersecurity and the healthcare ecosystem. 17
BY repealing and reenacting, without amendments, 18
Article – Health – General 19
Section 19–101 20
Annotated Code of Maryland 21
(2023 Replacement Volume and 2024 Supplement) 22
BY adding to 23
Article – Health – General 24
Section 19–113 25
Annotated Code of Maryland 26
(2023 Replacement Volume and 2024 Supplement) 27
BY repealing and reenacting, without amendments, 28 2 SENATE BILL 691
Article – Insurance 1
Section 1–101(a), (b), and (k) 2
Annotated Code of Maryland 3
(2017 Replacement Volume and 2024 Supplement) 4
BY adding to 5
Article – Insurance 6
Section 2–117 7
Annotated Code of Maryland 8
(2017 Replacement Volume and 2024 Supplement) 9
BY repealing and reenacting, without amendments, 10
Article – State Finance and Procurement 11
Section 3.5–101(a) and (c), 3.5–2A–01, and 3.5–301(a) and (c) 12
Annotated Code of Maryland 13
(2021 Replacement Volume and 2024 Supplement) 14
BY adding to 15
Article – State Finance and Procurement 16
Section 3.5–2A–07 17
Annotated Code of Maryland 18
(2021 Replacement Volume and 2024 Supplement) 19
BY adding to 20
Article – Health – General 21
Section 19–113(f) and (g) 22
Annotated Code of Maryland 23
(2023 Replacement Volume and 2024 Supplement) 24
(As enacted by Section 1 of this Act) 25
BY adding to 26
Article – Insurance 27
Section 2–117(f) 28
Annotated Code of Maryland 29
(2017 Replacement Volume and 2024 Supplement) 30
(As enacted by Section 1 of this Act) 31
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND , 32
That the Laws of Maryland read as follows: 33
Article – Health – General 34
19–101. 35
In this subtitle, “Commission” means the Maryland Health Care Commission. 36
19–113. 37 SENATE BILL 691 3
(A) (1) IN THIS SECTION THE FOLLOWING WORDS HAVE THE MEANINGS 1
INDICATED. 2
(2) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 3.5–301 OF 3
THE STATE FINANCE AND PROCUREMENT ARTICLE. 4
(3) “ESSENTIAL CAPABILITIES” MEANS THE SERVICES THAT MUST BE 5
AVAILABLE IN THE HEA LTHCARE ECOSYSTEM TO ENSURE THE CONTINUIT Y OF 6
CRITICAL CARE AND PA TIENT SAFETY , INCLUDING DURING AN INCIDENT 7
DIMINISHING THE CAPA CITY OF THE HEALTHCA RE ECOSYSTEM . 8
(4) “HEALTHCARE ECOSYSTEM ” MEANS THE ENTITIES A ND 9
RELATIONSHIPS AMONG ENTITIES THAT ARE NE CESSARY TO DELIVER T REATMENT, 10
PAYMENT, AND HEALTH CARE OPER ATIONS. 11
(5) (I) “HEALTHCARE ECOSYSTEM ENTITY” INCLUDES: 12
1. AN ELECTRONIC DATA IN TERCHANGE 13
CLEARINGHOUSE ; 14
2. A FREESTANDING MEDICAL FACILITY, AS DEFINED IN 15
§ 19–3A–01 OF THIS TITLE; 16
3. A HEALTH INFORMATION E XCHANGE, AS DEFINED IN 17
§ 4–301 OF THIS ARTICLE; 18
4. A HOSPITAL, AS DEFINED IN § 19–301 OF THIS TITLE; 19
AND 20
5. AN ENTITY IDENTIFIED BY THE COMMISSION IN 21
REGULATIONS TO BE INCLUDED IN THE HEALTHCARE ECOSY STEM. 22
(II) “HEALTHCARE ECOSYSTEM ENTITY” DOES NOT INCLUDE : 23
1. A CARRIER, AS DEFINED IN § 2–117 OF THE 24
INSURANCE ARTICLE; OR 25
2. A PHARMACY BENEFITS MA NAGER, AS DEFINED IN § 26
15–1601 OF THE INSURANCE ARTICLE. 27
(6) “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 28
4 SENATE BILL 691
(I) FOCUSED ON CYBERSECUR ITY RESOURCE PROTECT ION; 1
AND 2
(II) BASED ON THE PREMISE THAT TRUST IS N OT GRANTED 3
IMPLICITLY BUT MUST BE EVALUATED CONTINUALLY . 4
(B) THE COMMISSION SHALL INCLUDE ON ITS STAFF AT LEAST ONE 5
EMPLOYEE WHO IS AN EXPERT IN CYBERSECURITY TO: 6
(1) ADVISE THE CHAIRMAN AND MEMBERS OF THE COMMISSION ON 7
MEASURES TO IMPROVE OVERSIGHT OF THE CYB ERSECURITY PRACTICES OF 8
HEALTHCARE ECOSYSTEM ENTITIES; 9
(2) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT ON 10
CYBERSECURITY ISSUES RELATED TO HEALTH CARE REGULATION ; AND 11
(3) REPRESENT THE COMMISSION ON ANY WORKGROUP , TASK 12
FORCE, OR SIMILAR ENTITY THAT IS FOCUSED ON CYBERSECU RITY AND ON WHICH 13
REPRESENTATION FROM THE COMMISSION IS REQUEST ED OR REQUIRED . 14
(C) A HEALTHCARE ECOSYSTEM ENTITY SHALL: 15
(1) ADOPT AND IMPLEMENT C YBERSECURITY STANDAR DS THAT ARE 16
EQUAL TO OR EXCEED ANY STANDARDS ADOPTED BY THE COMMISSION; 17
(2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 18
ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 19
(3) MEET MINIMUM SECURITY STA NDARDS SET BY THE COMMISSION, 20
IN CONSULTATION WITH THE OFFICE OF SECURITY MANAGEMENT , FOR EACH 21
OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICE BAS ED ON 22
THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 23
ASSOCIATED WITH SUPP LY CHAINS; AND 24
(4) ON OR BEFORE JANUARY 1, 2026, AND EVERY 2 YEARS 25
THEREAFTER : 26
(I) UNDERGO A THIRD –PARTY AUDIT TO EVALUATE THE 27
ENTITY’S CYBERSECURITY PRACTI CES AND RESOURCES BA SED ON THE 28
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY’S CROSS–SECTOR 29
CYBERSECURITY PERFORMANCE GOALS OR A MORE STRIN GENT STANDARD BASED 30
ON THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ’S FRAMEWORK ; 31
AND 32 SENATE BILL 691 5
(II) SUBMIT TO THE COMMISSION A REPORT THAT INCLUDES: 1
1. THE RECOMMENDATIONS OF THE AUDIT; 2
2. THE DATE OF THE CYBER SECURITY AUDIT ; 3
3. THE CYBERSECURITY FRAMEW ORK USED TO 4
EVALUATE THE ENTITY; AND 5
4. THE NAME OF THE THIRD PARTY THAT CONDUCTED 6
THE AUDIT. 7
(D) ON OR BEFORE JULY 1, 2026, AND EVERY 2 YEARS THEREAFTER , THE 8
COMMISSION SHALL COLL ECT CERTIFICATION OF A HEALTHCARE ECOSYST EM 9
ENTITY’S COMPLIANCE WITH THE STANDARD USED IN THE AUDIT CONDUCTED 10
UNDER SUBSECTION (C)(4) OF THIS SECTION FOR CYBERSECURITY –RELATED 11
POLICIES AND PROCEDU RES. 12
(E) ON OR BEFORE JANUARY 1, 2027, AND EVERY 2 YEARS THEREAFTER , 13
THE COMMISSION SHALL SUBM IT A REPORT TO THE STATE CHIEF INFORMATION 14
SECURITY OFFICER OR THE OFFICER’S DESIGNEE THAT INCLUDES: 15
(1) A GENERAL OVERVIEW OF CYBERSECURITY TECHNO LOGY AND 16
POLICIES USED BY HEALTHCARE ECOSYSTEM ENTITIES IN THE STATE, GROUPED IN 17
THE FOLLOWING MANNER: 18
(I) HOSPITALS; 19
(II) FREESTANDING MEDICAL FACILITIES; 20
(III) ELECTRONIC DATA INTER CHANGE CLEARINGHOUSE S; 21
(IV) HEALTH INFORMATION E XCHANGES; AND 22
(V) ANY OTHER ENTITY THE COMMISSION CONSIDERS 23
SIGNIFICANT ENOUGH TO INCLUDE IN TH E REPORT; 24
(2) INFORMATION ABOUT EAC H CERTIFICAT ION COLLECTED, 25
INCLUDING: 26
(I) THE NAME OF THE HEALT HCARE ECOSYSTEM ENTI TY; 27
6 SENATE BILL 691
(II) THE DATE OF THE HEALT HCARE ECOSYSTEM ENTI TY’S 1
MOST RECENT CYBERSEC URITY AUDIT; 2
(III) THE CYBERSECURITY FRAMEWORK USED IN THE 3
CYBERSECURITY AUDIT OF THE HEALTHCARE EC OSYSTEM ENTITY ; AND 4
(IV) THE NAME OF THE THIRD PARTY THAT COMPLETED THE 5
CYBERSECURITY AUDIT; 6
(3) AN OVERVIEW OF ESSENT IAL CAPABILITIES PROVIDED BY 7
HEALTHCARE ECOSYSTEM ENTITIES; 8
(4) RECOMMENDATIONS FOR E NSURING THE CONTINUOUS DELIVERY 9
OF ESSENTIAL CAPABIL ITIES DURING AND FOL LOWING A DISRUPTION TO THE 10
HEALTHCARE ECOSYSTEM ; AND 11
(5) RECOMMENDATIONS TO IM PROVE CYBERSECURITY FOR THE 12
GROUPS OF HEALTHCARE ECOSYSTEM ENTITIES IDENTIFIED IN ITEM (1) OF THIS 13
SUBSECTION. 14
Article – Insurance 15
1–101. 16
(a) In this article the following words have the meanings indicated. 17
(b) “Administration” means the Maryland Insurance Administration. 18
(k) “Commissioner” means the Maryland Insurance Commissioner. 19
2–117. 20
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 21
INDICATED. 22
(2) “CARRIER” MEANS: 23
(I) AN INSURER AUTHORIZE D TO SELL HEALTH INS URANCE; 24
(II) A NONPROFIT HEALTH S ERVICE PLAN; 25
(III) A HEALTH MAINTENANCE ORGANIZATION ; 26
(IV) A DENTAL PLAN ORGANIZATION ; AND 27 SENATE BILL 691 7
(V) ANY OTHER ENTITY PRO VIDING A PLAN OF HEA LTH 1
INSURANCE, HEALTH BENEFITS , OR HEALTH SERVICES A UTHORIZED UNDER THIS 2
ARTICLE OR THE AFFORDABLE CARE ACT. 3
(3) “ESSENTIAL CAPABILITIE S” MEANS THE SERVICES THAT MUST BE 4
AVAILABLE IN THE HEALTHCARE ECOSYSTEM TO ENSURE THE CONTIN UITY OF 5
CRITICAL CARE AND PA TIENT SAFETY , INCLUDING DURING AN INCIDENT 6
DIMINISHING THE CAPA CITY OF THE HEALTHCA RE ECOSYSTEM . 7
(4) “HEALTHCARE ECOSYSTEM ” MEANS THE ENTITIES A ND 8
RELATIONSHIPS AMONG ENTITIES THAT ARE NECESSARY TO DELIVER TREATMENT , 9
PAYMENT, AND HEALTH CARE OPER ATIONS. 10
(5) (I) “HEALTHCARE ECOSYSTEM ENTITY” MEANS: 11
1. A CARRIER; OR 12
2. A PHARMACY BENEFITS MA NAGER, AS DEFINED IN § 13
15–1601 OF THIS ARTICLE. 14
(II) “HEALTHCARE ECOSYSTEM ENTITY ” DOES NOT INCLUDE A 15
GOVERNMENTAL PAYOR . 16
(6) “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 17
(I) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; 18
AND 19
(II) BASED ON THE PREMISE THAT TRUST IS NOT GRANTED 20
IMPLICITLY BUT MUST BE EVALUATED CONTINUALLY . 21
(B) THE ADMINISTRATION SHALL INCLUDE ON ITS STAFF AT LEAST ONE 22
EMPLOYEE WHO IS AN EXPERT IN CYBE RSECURITY TO: 23
(1) ADVISE THE COMMISSIONER ON MEASURES TO IMPRO VE 24
OVERSIGHT OF THE CYB ERSECURITY PRACTICES OF HEALTHCARE ECOSYSTEM 25
ENTITIES; 26
(2) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT ON 27
CYBERSECURITY ISSUES RELATED TO HEALTH INSURANCE REGULATION ; AND 28
8 SENATE BILL 691
(3) REPRESENT THE ADMINISTRAT ION ON ANY WORKGROUP , TASK 1
FORCE, OR SIMILAR ENTITY THAT IS FOCUSED ON CYBERSECU RITY AND ON WHICH 2
REPRESENTATION FROM THE ADMINISTRATION IS REQ UIRED OR REQUESTED . 3
(C) A HEALTHCARE ECOSYSTEM ENTITY SHALL: 4
(1) ADOPT AND IMPLEMENT CYBERSECURITY STANDA RDS THAT ARE 5
EQUAL TO OR EXCEED ANY STANDARDS ADOPTED BY THE ADMINISTRATION ; 6
(2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 7
ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 8
(3) MEET MINIMUM SECURITY STA NDARDS SET BY THE MARYLAND 9
HEALTH CARE COMMISSION, IN CONSULTATION WITH THE OFFICE OF SECURITY 10
MANAGEMENT , FOR EACH OPERATIONAL TECHNOLOGY AND INFOR MATION 11
TECHNOLOGY DEVICE BA SED ON THE LEVEL OF SECURITY RISK FOR EA CH DEVICE, 12
INCLUDING SECURITY R ISKS ASSOCIATED WITH SUPPLY CHAINS ; AND 13
(4) ON OR BEFORE JANUARY 1, 2026, AND EVERY 2 YEARS 14
THEREAFTER : 15
(I) UNDERGO A THIRD –PARTY AUDIT TO EVALU ATE THE 16
ENTITY’S CYBERSECURITY PRAC TICES AND RESOURCES BASED ON THE 17
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY’S CROSS–SECTOR 18
CYBERSECURITY PERFORMANCE GOALS OR A MORE STRIN GENT STANDARD BASED 19
ON THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ’S FRAMEWORK ; 20
AND 21
(II) SUBMIT TO THE ADMINISTRAT ION A REPORT THAT 22
INCLUDES: 23
1. THE RECOMMENDATIONS F ROM THE AUDIT ; 24
2. THE DATE OF THE CYBER SECURITY AUDIT ; 25
3. THE CYBERSECURITY FRAMEW ORK USED TO 26
EVALUATE THE ENTITY; AND 27
4. THE NAME OF THE THIRD PARTY THAT CONDUCTED 28
THE AUDIT. 29
(D) ON OR BEFORE JULY 1, 2026, AND EVERY 2 YEARS THEREAFTER , THE 30
ADMINISTRATION SHALL COLLECT CERTIFICATIO N OF A HEALTHCARE ECOSYSTEM 31 SENATE BILL 691 9
ENTITY’S COMPLIANCE WITH THE STANDARD USED IN THE AUDIT CONDUCTED 1
UNDER SUBSECTION (C)(4) OF THIS SECTION FOR CYBERSECURITY –RELATED 2
POLICIES AND PROCEDU RES. 3
(E) ON OR BEFORE JANUARY 1, 2027, AND EVERY 2 YEARS THEREAFTER , 4
THE ADMINISTRAT ION SHALL SUBMIT A REPORT TO THE STATE CHIEF 5
INFORMATION SECURITY OFFICER OR THE OFFICER’S DESIGNEE THAT INCLUDES : 6
(1) A GENERAL OVERVIEW OF CYBERSECURITY TECHNO LOGY AND 7
POLICIES USED BY HEALTHCARE ECOSYSTEM ENTITIES IN THE STATE, GROUPED IN 8
THE FOLLOWING MANNER : 9
(I) INSURERS AUTHORIZED TO SELL H EALTH INSURANCE ; 10
(II) NONPROFIT HEALTH SER VICE PLANS; 11
(III) HEALTH MAINTENANCE O RGANIZATION S; 12
(IV) DENTAL PLAN ORGANIZA TIONS; 13
(V) PHARMACY BENEFITS MANAGER S; AND 14
(VI) ANY OTHER ENTITY PRO VIDING A PLAN OF HEA LTH 15
INSURANCE, HEALTH BENEFITS , OR HEALTH SERVICES A UTHORIZED UNDER THIS 16
ARTICLE OR THE AFFORDABLE CARE ACT; 17
(2) INFORMATION ABOUT EAC H CERTIFICAT ION COLLECTED, 18
INCLUDING: 19
(I) THE NAME OF THE HEALTHCARE ECOSYSTEM ENTITY; 20
(II) THE DATE OF THE HEALTHCARE ECOSYSTEM ENTITY’S MOST 21
RECENT CYBERSECURITY AUDIT; 22
(III) THE CYBERSECURITY FRAMEWORK USED IN THE 23
CYBERSECURITY AUDIT OF THE HEALTHCARE ECOSYSTEM ENTITY; AND 24
(IV) THE NAME OF THE THIRD PARTY THAT COMPLETED THE 25
CYBERSECURITY A UDIT; 26
(3) AN OVERVIEW OF ESSENT IAL CAPABILITIES PRO VIDED BY THE 27
HEALTHCARE ECOSYSTEM ENTITY; 28
10 SENATE BILL 691
(4) RECOMMENDATIONS FOR E NSURING THE CONTINUO US DELIVERY 1
OF ESSENTIAL CAPABIL ITIES DURING AND FOL LOWING A DISRUPTION TO THE 2
HEALTHCARE ECOSYSTEM ; AND 3
(5) RECOMMENDATIONS TO IM PROVE CYBERSECURITY FOR THE 4
GROUPS OF HEALTHCARE ECOSYSTEM ENTITIES IDENTIFIED IN ITEM (1) OF THIS 5
SUBSECTION. 6
Article – State Finance and Procurement 7
3.5–101. 8
(a) In this title the following words have the meanings indicated. 9
(c) “Department” means the Department of Information Technology. 10
3.5–2A–01. 11
(a) In this subtitle the following words have the meanings indicated. 12
(b) “Council” means the Maryland Cybersecurity Coordinating Council. 13
(c) “Office” means the Office of Security Management. 14
3.5–2A–07. 15
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 16
INDICATED. 17
(2) “HEALTHCARE ECOSYSTEM ” MEANS THE ENTITIES A ND 18
RELATIONSHIPS AMONG ENTITIES THAT ARE NE CESSARY TO DELIVER H EALTH CARE 19
TREATMENT , PAYMENT, AND HEALTH CARE OPERATIO NS. 20
(3) “HEALTHCARE ECOSYSTEM ENTITY” INCLUDES: 21
(I) A CARRIER; 22
(II) AN ELECTRONIC DATA I NTERCHANGE CLEARINGH OUSE; 23
(III) A FREESTANDING MEDIC AL FACILITY; 24
(IV) A HOSPITAL; 25
(V) A PHARMACY BENEFITS MANAGER; 26
SENATE BILL 691 11
(VI) A HEALTH INFORMATION E XCHANGE; AND 1
(VII) ANY OTHER ENTITY IDENTIFIED BY THE MARYLAND 2
HEALTH CARE COMMISSION OR THE MARYLAND INSURANCE ADMINISTRATION IN 3
REGULATIONS TO BE INCLUDED IN THE HEALTHCARE ECOSY STEM. 4
(B) (1) A HEALTHCARE ECOSYSTEM ENTITY SHALL REPORT , IN 5
ACCORDANCE WITH THE PROCESS ESTABLISHED UNDER PARAGRAPH (2) OF THIS 6
SUBSECTION, A CYBERSECURITY INCI DENT, INCLUDING AN ATTACK ON A SYSTEM 7
BEING USED BY THE HE ALTHCARE ECOSYSTEM E NTITY, TO THE STATE SECURITY 8
OPERATIONS CENTER IN THE DEPARTMENT . 9
(2) THE OFFICE, IN CONSULTATION WITH THE MARYLAND HEALTH 10
CARE COMMISSION AND THE MARYLAND INSURANCE ADMINISTRATION , SHALL 11
ESTABLISH A PROCESS FOR A HEALTHCARE ECO SYSTEM ENTITY TO REP ORT A 12
CYBERSECURITY INCIDE NT UNDER PARAGRAPH (1) OF THIS SUBSECTION , 13
INCLUDING: 14
(I) THE CRITERIA FOR DET ERMINING THE CIRCUMS TANCES 15
UNDER WHICH A CYBERS ECURITY INCIDENT MUS T BE REPORTED ; 16
(II) THE MANNER IN WHICH A CYBERSECURITY INCI DENT MUST 17
BE REPORTED ; AND 18
(III) THE TIME PERIO D WITHIN WHICH A CYB ERSECURITY 19
INCIDENT MUST BE REP ORTED. 20
(3) THE STATE SECURITY OPERATIONS CENTER IMMEDIATELY 21
SHALL NOTIFY APPROPR IATE STATE AND LOCAL AGENC IES OF A CYBERSECURI TY 22
INCIDENT REPORTED UN DER THIS SUBSECTION . 23
(4) (I) ON OR BEFORE JULY 1 EACH YEAR, BEGINNING IN 2026, 24
THE OFFICE SHALL REPORT TO THE GOVERNOR, THE COUNCIL, AND, IN 25
ACCORDANCE WITH § 2–1257 OF THE STATE GOVERNMENT ARTICLE, THE GENERAL 26
ASSEMBLY ON THE NUMBER OF CYBERSECURITY INCIDENTS AND TYPES OF 27
CYBERSECURITY INCIDENTS REPORTED U NDER PARAGRAPH (1) OF THIS 28
SUBSECTION IN THE IMMEDIATELY P RECEDING CALENDAR YEAR. 29
(II) A REPORT SUBMITTED IN ACCORDANCE WITH 30
SUBPARAGRAPH (I) OF THIS PARAGRAPH MA Y NOT IDENTIFY A HEALTHCARE 31
ECOSYSTEM ENTITY THA T REPORTED AN INCIDEN T TO THE OFFICE OR A 32
HEALTHCARE ECOSYSTEM ENTITY THAT WAS DIRECTLY AFFECTED BY AN INCID ENT 33
REPORTED TO THE CENTER. 34
12 SENATE BILL 691
3.5–301. 1
(a) In this subtitle the following words have the meanings indicated. 2
(c) “Cybersecurity” means processes or capabilities wherein systems, 3
communications, and information are protected and defended against damage, 4
unauthorized use or modification, and exploitation. 5
SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read 6
as follows: 7
Article – Health – General 8
19–113. 9
(F) THE COMMISSION, IN CONSULTATION WITH THE DEPARTMENT OF 10
INFORMATION TECHNOLOGY , SHALL ADOPT REGULATI ONS TO IMPLEMENT 11
CYBERSECURITY STANDA RDS AND PROCEDURES T O: 12
(1) PREVENT DISRUPTIONS T O THE HEALTHCARE ECO SYSTEM; 13
(2) ENABLE THE DELIVERY OF ESSENTIAL CAPABIL ITIES BY THE 14
HEALTHCARE ECOSYSTEM ; AND 15
(3) SUPPORT RECOVERY FROM AN INCIDENT THAT DISRUP TS THE 16
HEALTHCARE ECOSYSTEM . 17
(G) THE COMMISSION, IN CONJUNCTION WITH THE MARYLAND 18
DEPARTMENT OF EMERGENCY MANAGEMENT , THE DEPARTMENT OF 19
INFORMATION TECHNOLOGY , AND THE MARYLAND INSURANCE ADMINISTRATION , 20
SHALL REGULARLY CONVENE A STAKEHOLDER WORKGROUP TO REVIEW 21
CYBERSECURITY PRACTI CES, THREATS, RESPONSE S TO DISRUPTIONS , AND 22
EMERGING ISSUES AFFE CTING THE HEALTHCARE ECOSYSTEM. 23
Article – Insurance 24
2–117. 25
(F) THE ADMINISTRATION , IN CONSULTATION WITH THE DEPARTMENT OF 26
INFORMATION TECHNOLOGY , SHALL ADOPT REGULATI ONS TO IMPLEMENT 27
CYBERSECURITY STANDA RDS AND PROCEDURES T O: 28
(1) PREVENT DISRUPTIONS T O THE HEALTHCARE ECO SYSTEM; 29
SENATE BILL 691 13
(2) ENABLE THE DELIVERY O F ESSENTIAL CAPABILI TIES BY THE 1
HEALTHCARE ECOSYSTEM ; AND 2
(3) SUPPORT RECOVERY FROM AN INCIDENT THAT DISRUPT S THE 3
HEALTHCARE ECOSYSTEM . 4
SECTION 3. AND BE IT FURTHER ENACTED, That: 5
(a) (1) In this section the following words have the meanings indicated. 6
(2) “Cybersecurity” has the meaning stated in § 3.5–301 of the State 7
Finance and Procurement Article. 8
(3) “Essential capabilities” means the services that must be available in 9
the healthcare ecosystem to ensure the continuity of critical care and patient safety, 10
including during an incident diminishing the capacity of the healthcare ecosystem. 11
(4) “Healthcare ecosystem” means the entities and relationships among 12
entities that are necessary to deliver treatment, payment, and health care operations. 13
(5) (i) “Healthcare ecosystem entity” includes: 14
1. a carrier, as defined in § 2–117 of the Insurance Article; 15
2. an electronic data interchange clearinghouse; 16
3. a freestanding medical facility, as defined in § 19–3A–01 17
of the Health – General Article; 18
4. a health information exchange, as defined in § 4–301 of the 19
Health – General Article; 20
5. a hospital, as defined in § 19–301 of the Health – General 21
Article; and 22
6. a pharmacy benefits manager, as defined in § 15–1601 of 23
the Insurance Article. 24
(ii) “Healthcare ecosystem entity” does not include a governmental 25
payor. 26
(6) “Health care operations” has the meaning stated in 45 C.F.R. § 164.501. 27
(7) “Payment” has the meaning stated in 45 C.F.R. § 164.501. 28
(8) “Treatment” has the meaning stated in 45 C.F.R. § 164.501. 29 14 SENATE BILL 691
(b) The Maryland Health Care Commission shall convene a healthcare ecosystem 1
stakeholder workgroup to study and make recommendations to improve the cybersecurity 2
of the healthcare ecosystem in the State. 3
(c) The workgroup shall: 4
(1) identify essential capabilities; 5
(2) identify functional requirements for the healthcare ecosystem to be 6
capable of providing the essential capabilities identified under item (1) of this subsection; 7
(3) identify and map all healthcare ecosystem entities in the State; 8
(4) identify which healthcare ecosystem entities are needed, directly or 9
indirectly, to provide the essential capabilities identified under item (1) of this subsection; 10
(5) identify other issues related to cybersecurity in the healthcare 11
ecosystem; 12
(6) review best practices for cybersecurity and processes used in the 13
healthcare ecosystem, including NIST 800–207, NIST 800–207A, NIST 800–53A, the NIST 14
Cybersecurity Framework, HICP Technical Volume 1, and HICP Technical Volume 2; and 15
(7) provide guidance for the Maryland Health Care Commission and the 16
Maryland Insurance Administration regarding the adoption and maintenance of 17
cybersecurity regulatory standards. 18
(d) (1) On or before July 1, 2026, the Maryland Health Care Commission shall 19
submit an interim report defining the scope and contents of the State’s healthcare 20
ecosystem to the Governor, the Secretary of Emergency Management, the Maryland 21
Insurance Commissioner, the State Chief Information Security Officer, and, in accordance 22
with § 2–1257 of the State Government Article, the General Assembly. 23
(2) On or before July 1, 2028, the Maryland Health Care Commission shall 24
submit a final report of the findings and recommendations of the workgroup to the 25
Governor, the Secretary of Emergency Management , the Maryland Insurance 26
Commissioner, the State Chief Information Security Officer, and, in accordance with § 27
2–1257 of the State Government Article, the General Assembly. 28
SECTION 4. AND BE IT FURTHER ENACTED, That Section 2 of this Act shall take 29
effect July 1, 2028. 30
SECTION 5. AND BE IT FURTHER ENACTED, That , except as provided in Section 31
4 of this Act, this Act shall take effect July 1, 2025. Section 3 of this Act shall remain 32
effective for a period of 4 years and, at the end of June 30, 2029, Section 3 of this Act, with 33 SENATE BILL 691 15
no further action required by the General Assembly, shall be abrogated and of no further 1
force and effect. 2