EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*sb0691*
SENATE BILL 691
S2, J3, J5 5lr0886
CF HB 333
By: Senator Hester
Introduced and read first time: January 26, 2025
Assigned to: Finance and Education, Energy, and the Environment
Committee Report: Favorable with amendments
Senate action: Adopted
Read second time: March 11, 2025
CHAPTER ______
AN ACT concerning 1
Cybersecurity – Healthcare Ecosystem Stakeholder Cybersecurity Workgroup 2
FOR the purpose of requiring the Maryland Health Care Commission and the Maryland 3
Insurance Administration to include a cybersecurity expert as staff to perform 4
certain functions and submit to the State Chief Information Security Officer a report 5
on the cybersecurity practices and policies of certain healthcare ecosystem entities 6
on a certain basis; requiring healthcare ecosystem entities to take certain actions 7
related to cybersecurity, including adopting and implementing certain cybersecurity 8
standards, undergoing a third–party cybersecurity audit on a certain basis, and 9
reporting cybersecurity incidents to the State Security Operations Center in the 10
Department of Information Technology; requiring the Center to notify certain 11
agencies of a cybersecurity incident reported under this Act; requiring the 12
Commission to convene a workgroup to review cybersecurity practices, threats, 13
responses to disruptions, and emerging issues in the healthcare ecosystem; requiring 14
the Commission to convene a workgroup to study and make recommendations to 15
improve the cybersecurity of the healthcare ecosystem; and generally relating to 16
cybersecurity and the healthcare ecosystem establishing the Healthcare Ecosystem 17
Stakeholder Cybersecurity Workgroup to develop strategies to prevent cybersecurity 18
disruptions to the healthcare ecosystem, ensure the continuous delivery of essential 19
healthcare ecosystem services, and enhance recovery efforts of the healthcare 20
ecosystem following a cybersecurity incident; and generally relating to the 21
Healthcare Ecosystem Stakeholder Cybersecurity Workgroup. 22
BY repealing and reenacting, without amendments, 23
Article – Health – General 24 2 SENATE BILL 691
Section 19–101 1
Annotated Code of Maryland 2
(2023 Replacement Volume and 2024 Supplement) 3
BY adding to 4
Article – Health – General 5
Section 19–113 6
Annotated Code of Maryland 7
(2023 Replacement Volume and 2024 Supplement) 8
BY repealing and reenacting, without amendments, 9
Article – Insurance 10
Section 1–101(a), (b), and (k) 11
Annotated Code of Maryland 12
(2017 Replacement Volume and 2024 Supplement) 13
BY adding to 14
Article – Insurance 15
Section 2–117 16
Annotated Code of Maryland 17
(2017 Replacement Volume and 2024 Supplement) 18
BY repealing and reenacting, without amendments, 19
Article – State Finance and Procurement 20
Section 3.5–101(a) and (c), 3.5–2A–01, and 3.5–301(a) and (c) 21
Annotated Code of Maryland 22
(2021 Replacement Volume and 2024 Supplement) 23
BY adding to 24
Article – State Finance and Procurement 25
Section 3.5–2A–07 26
Annotated Code of Maryland 27
(2021 Replacement Volume and 2024 Supplement) 28
BY adding to 29
Article – Health – General 30
Section 19–113(f) and (g) 31
Annotated Code of Maryland 32
(2023 Replacement Volume and 2024 Supplement) 33
(As enacted by Section 1 of this Act) 34
BY adding to 35
Article – Insurance 36
Section 2–117(f) 37
Annotated Code of Maryland 38
(2017 Replacement Volume and 2024 Supplement) 39
(As enacted by Section 1 of this Act) 40 SENATE BILL 691 3
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 1
That the Laws of Maryland read as follows: 2
Article – Health – General 3
19–101. 4
In this subtitle, “Commission” means the Maryland Health Care Commission. 5
19–113. 6
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 7
INDICATED. 8
(2) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 3.5–301 OF 9
THE STATE FINANCE AND PROCUREMENT ARTICLE. 10
(3) “ESSENTIAL CAPABILITIE S” MEANS THE SERVICES T HAT MUST BE 11
AVAILABLE IN THE HEA LTHCARE ECOSYSTEM TO ENSURE THE CONTINUIT Y OF 12
CRITICAL CARE AND PA TIENT SAFETY , INCLUDING DURING AN INCIDENT 13
DIMINISHING THE CAPA CITY OF THE HEALTHCA RE ECOSYSTEM . 14
(4) “HEALTHCARE ECOSYSTEM ” MEANS THE ENTITIES A ND 15
RELATIONSHIPS AMONG ENTITIES THAT ARE NE CESSARY TO DELIVER T REATMENT, 16
PAYMENT, AND HEALTH CARE OPER ATIONS. 17
(5) (I) “HEALTHCARE ECOSYSTEM ENTITY” INCLUDES: 18
1. AN ELECTRONIC DATA IN TERCHANGE 19
CLEARINGHOUSE; 20
2. A FREESTANDING MEDICAL FACILITY, AS DEFINED IN 21
§ 19–3A–01 OF THIS TITLE; 22
3. A HEALTH INFORMATION E XCHANGE, AS DEFINED IN 23
§ 4–301 OF THIS ARTICLE; 24
4. A HOSPITAL, AS DEFINED IN § 19–301 OF THIS TITLE; 25
AND 26
5. AN ENTITY IDENTIFIED BY THE COMMISSION IN 27
REGULATIONS TO BE IN CLUDED IN THE HEALTH CARE ECOSYSTEM . 28
(II) “HEALTHCARE ECOSYSTEM ENTITY” DOES NOT INCLUDE : 29 4 SENATE BILL 691
1. A CARRIER, AS DEFINED IN § 2–117 OF THE 1
INSURANCE ARTICLE; OR 2
2. A PHARMACY BENEFITS MA NAGER, AS DEFINED IN § 3
15–1601 OF THE INSURANCE ARTICLE. 4
(6) “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 5
(I) FOCUSED ON CYBERSECUR ITY RESOURCE PROTECT ION; 6
AND 7
(II) BASED ON THE PREMISE THAT TRUST IS NOT GR ANTED 8
IMPLICITLY BUT MUST BE EVALUATED CONTINUALLY . 9
(B) THE COMMISSION SHALL INCL UDE ON ITS STAFF AT LEAST ONE 10
EMPLOYEE WHO IS AN E XPERT IN CYBERSECURI TY TO: 11
(1) ADVISE THE CHAIRMAN A ND MEMBERS OF THE COMMISSION ON 12
MEASURES TO IMPROVE OVERSIGHT OF THE CYB ERSECURITY PRACTICES OF 13
HEALTHCARE ECOSYSTEM ENTITIES ; 14
(2) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT ON 15
CYBERSECURITY ISSUES RELATED TO HEALTH CA RE REGULATION ; AND 16
(3) REPRESENT THE COMMISSION ON ANY WOR KGROUP, TASK 17
FORCE, OR SIMILAR ENTITY TH AT IS FOCUSED ON CYB ERSECURITY AND O N WHICH 18
REPRESENTATION FROM THE COMMISSION IS REQUEST ED OR REQUIRED . 19
(C) A HEALTHCARE ECOSYSTEM ENTITY SHALL: 20
(1) ADOPT AND IMPLEMENT C YBERSECURITY STANDAR DS THAT ARE 21
EQUAL TO OR EXCEED A NY STANDARDS ADOPTED BY THE COMMISSION; 22
(2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 23
ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 24
(3) MEET MINIMUM SECURITY STANDARDS SET BY THE COMMISSION, 25
IN CONSULTATION WITH THE OFFICE OF SECURITY MANAGEMENT , FOR EACH 26
OPERATIONAL TECHNOLO GY AND INFORMAT ION TECHNOLOGY DEVIC E BASED ON 27
THE LEVEL OF SECURIT Y RISK FOR EACH DEVI CE, INCLUDING SECURITY R ISKS 28
ASSOCIATED WITH SUPP LY CHAINS; AND 29
SENATE BILL 691 5
(4) ON OR BEFORE JANUARY 1, 2026, AND EVERY 2 YEARS 1
THEREAFTER : 2
(I) UNDERGO A THIRD –PARTY AUDIT TO EVALU ATE THE 3
ENTITY’S CYBERSECURITY PRAC TICES AND RESOURCES BASED ON THE 4
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY’S CROSS–SECTOR 5
CYBERSECURITY PERFORMANCE GOALS OR A MORE STRIN GENT STANDARD BASED 6
ON THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ’S FRAMEWORK ; 7
AND 8
(II) SUBMIT TO THE COMMISSION A REPORT T HAT INCLUDES : 9
1. THE RECOMMENDATIONS O F THE AUDIT; 10
2. THE DATE OF THE CYBER SECURITY AUDIT ; 11
3. THE CYBERSECURITY FRA MEWORK USED TO 12
EVALUATE THE ENTITY ; AND 13
4. THE NAME OF THE THIRD PARTY THAT CONDUCTED 14
THE AUDIT. 15
(D) ON OR BEFORE JULY 1, 2026, AND EVERY 2 YEARS THEREAFTER , THE 16
COMMISSION SHALL COLL ECT CERTIFICATION OF A HEALTHCARE ECOSYST EM 17
ENTITY’S COMPLIANCE WITH TH E STANDARD USED IN T HE AUDIT CONDUCTED 18
UNDER SUBSECTION (C)(4) OF THIS SECTION FOR CYBERSEC URITY–RELATED 19
POLICIES AND PROCEDU RES. 20
(E) ON OR BEFORE JANUARY 1, 2027, AND EVERY 2 YEARS THEREAFTER , 21
THE COMMISSION SHALL SUBM IT A REPORT TO THE STATE CHIEF INFORMATION 22
SECURITY OFFICER OR THE OFFICER’S DESIGNEE THAT INCL UDES: 23
(1) A GENERAL OVERVIEW OF CYBERSECURITY TECHNO LOGY AND 24
POLICIES USED BY HEA LTHCARE ECOSYSTEM EN TITIES IN THE STATE, GROUPED IN 25
THE FOLLOWING MANNER : 26
(I) HOSPITALS; 27
(II) FREESTANDING MEDICAL FACILITIES; 28
(III) ELECTRONIC DATA INTER CHANGE CLEARINGHOUSES ; 29
(IV) HEALTH INFORMATION EX CHANGES; AND 30
6 SENATE BILL 691
(V) ANY OTHER ENTITY THE COMMISSION CONSIDERS 1
SIGNIFICANT ENOUGH T O INCLUDE IN THE REP ORT; 2
(2) INFORMATION ABOUT EAC H CERTIFICATION COLL ECTED, 3
INCLUDING: 4
(I) THE NAME OF THE HEALT HCARE ECOSYSTEM ENTITY ; 5
(II) THE DATE OF THE HEALT HCARE ECOSYSTEM ENTI TY’S 6
MOST RECENT CYBERSEC URITY AUDIT; 7
(III) THE CYBERSECURITY FRA MEWORK USED IN THE 8
CYBERSECURITY AUDIT OF THE HEALTHCARE EC OSYSTEM ENTITY ; AND 9
(IV) THE NAME OF THE THIRD PARTY THAT COMPLETED THE 10
CYBERSECURITY AUDIT ; 11
(3) AN OVERVIEW OF ESSENT IAL CAPABILITIES PRO VIDED BY 12
HEALTHCARE ECOSYSTEM ENTITIES; 13
(4) RECOMMENDATIONS FOR E NSURING THE CONTINUO US DELIVERY 14
OF ESSENTIAL CAPABIL ITIES DURING AND FOL LOWING A DISRUPTION TO THE 15
HEALTHCARE ECOSYSTEM ; AND 16
(5) RECOMMENDATIONS TO IM PROVE CYBERSECURITY FOR THE 17
GROUPS OF HEALTHCARE ECOSYSTEM ENTITIES I DENTIFIED IN ITEM (1) OF THIS 18
SUBSECTION. 19
Article – Insurance 20
1–101. 21
(a) In this article the following words have the meanings indicated. 22
(b) “Administration” means the Maryland Insurance Administration. 23
(k) “Commissioner” means the Maryland Insurance Commissioner. 24
2–117. 25
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 26
INDICATED. 27
(2) “CARRIER” MEANS: 28
SENATE BILL 691 7
(I) AN INSURER AUTHORIZE D TO SELL HEALTH INS URANCE; 1
(II) A NONPROFIT HEALTH S ERVICE PLAN; 2
(III) A HEALTH MAINTENANCE ORGANIZATION ; 3
(IV) A DENTAL PLAN ORGANI ZATION; AND 4
(V) ANY OTHER ENTITY PRO VIDING A PLAN OF HEA LTH 5
INSURANCE, HEALTH BENEFITS, OR HEALTH SERVICES A UTHORIZED UNDER THIS 6
ARTICLE OR THE AFFORDABLE CARE ACT. 7
(3) “ESSENTIAL CAPABILITIE S” MEANS THE SERVICES T HAT MUST BE 8
AVAILABLE IN THE HEA LTHCARE ECOSYSTEM TO ENSURE THE CONTINUIT Y OF 9
CRITICAL CARE AND PA TIENT SAFETY , INCLUDING DURING AN INCID ENT 10
DIMINISHING THE CAPA CITY OF THE HEALTHCA RE ECOSYSTEM . 11
(4) “HEALTHCARE ECOSYSTEM ” MEANS THE ENTITIES A ND 12
RELATIONSHIPS AMONG ENTITIES THAT ARE NE CESSARY TO DELIVER T REATMENT, 13
PAYMENT, AND HEALTH CARE OPER ATIONS. 14
(5) (I) “HEALTHCARE ECOSYSTEM ENTIT Y” MEANS: 15
1. A CARRIER; OR 16
2. A PHARMACY BENEFITS MANAGER, AS DEFINED IN § 17
15–1601 OF THIS ARTICLE. 18
(II) “HEALTHCARE ECOSYSTEM ENTITY” DOES NOT INCLUDE A 19
GOVERNMENTAL PAYOR . 20
(6) “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 21
(I) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; 22
AND 23
(II) BASED ON THE PREMISE THAT TRUST IS NOT GR ANTED 24
IMPLICITLY BUT MUST BE EVALUATED CONTINU ALLY. 25
(B) THE ADMINISTRATION SHALL INCLUDE ON ITS STAFF AT LEAST ONE 26
EMPLOYEE WHO IS AN EXPERT IN CYBERSECUR ITY TO: 27
8 SENATE BILL 691
(1) ADVISE THE COMMISSIONER ON MEASU RES TO IMPROVE 1
OVERSIGHT OF THE CYB ERSECURITY PRACTICES OF HEALTHCARE ECOSYS TEM 2
ENTITIES; 3
(2) CONSULT WITH THE OFFICE OF SECURITY MANAGEMENT ON 4
CYBERSECURITY ISSUES RELATED TO HEALTH IN SURANCE REGULATION ; AND 5
(3) REPRESENT THE ADMINISTRATION ON ANY WORKGROUP , TASK 6
FORCE, OR SIMILAR ENTITY TH AT IS FOCUSED ON CYB ERSECURITY AND ON WH ICH 7
REPRESENTATION FROM THE ADMINISTRATION IS REQ UIRED OR REQUESTED . 8
(C) A HEALTHCARE ECOSYSTEM ENTITY SHALL: 9
(1) ADOPT AND IMPLEMENT CYBERSECURITY STANDA RDS THAT ARE 10
EQUAL TO OR EXCEED A NY STANDARDS ADOPTED BY THE ADMINISTRATION ; 11
(2) ADOPT A ZERO –TRUST CYBERSECURITY APPROACH FOR 12
ON–PREMISES SERVICES AN D CLOUD–BASED SERVICES ; 13
(3) MEET MINIMUM SECU RITY STANDARDS SET B Y THE MARYLAND 14
HEALTH CARE COMMISSION, IN CONSULTATION WITH THE OFFICE OF SECURITY 15
MANAGEMENT , FOR EACH OPERATIONAL TECHNOLOGY AND INFOR MATION 16
TECHNOLOGY DEVICE BA SED ON THE LEVEL OF SECURITY RISK FOR EA CH DEVICE, 17
INCLUDING SECURITY R ISKS ASSOCIATED WITH S UPPLY CHAINS; AND 18
(4) ON OR BEFORE JANUARY 1, 2026, AND EVERY 2 YEARS 19
THEREAFTER : 20
(I) UNDERGO A THIRD –PARTY AUDIT TO EVALU ATE THE 21
ENTITY’S CYBERSECURITY PRAC TICES AND RESOURCES BASED ON THE 22
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY’S CROSS–SECTOR 23
CYBERSECURITY PERFORMANCE GOALS OR A MORE STRIN GENT STANDARD BASED 24
ON THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ’S FRAMEWORK ; 25
AND 26
(II) SUBMIT TO THE ADMINISTRATION A REPO RT THAT 27
INCLUDES: 28
1. THE RECOMMENDATIONS FROM THE AUDIT ; 29
2. THE DATE OF THE CYBE RSECURITY AUDIT ; 30
3. THE CYBERSECURITY FR AMEWORK USED TO 31
EVALUATE THE ENTITY ; AND 32 SENATE BILL 691 9
4. THE NAME OF THE THIR D PARTY THAT CONDUCT ED 1
THE AUDIT. 2
(D) ON OR BEFORE JULY 1, 2026, AND EVERY 2 YEARS THEREAFTER , THE 3
ADMINISTRATION SHALL COLLECT CERTIFICATIO N OF A HEALTHCARE EC OSYSTEM 4
ENTITY’S COMPLIANCE WITH TH E STANDARD USED IN T HE AUDIT CONDUCTED 5
UNDER SUBSECTION (C)(4) OF THIS SECTION FOR CYBERSECURITY –RELATED 6
POLICIES AND PROCEDU RES. 7
(E) ON OR BEFORE JANUARY 1, 2027, AND EVERY 2 YEARS THEREAFTER , 8
THE ADMINISTRATION SHALL SUBMIT A REPORT TO T HE STATE CHIEF 9
INFORMATION SECURITY OFFICER OR THE OFFICER’S DESIGNEE THAT INCL UDES: 10
(1) A GENERAL OVERVIEW O F CYBERSECURITY TECH NOLOGY AND 11
POLICIES USED BY HEA LTHCARE ECOSYSTEM ENTITIES IN THE STATE, GROUPED IN 12
THE FOLLOWING MANNER : 13
(I) INSURERS AUTHORIZED TO SELL HEALTH INSUR ANCE; 14
(II) NONPROFIT HEALTH SER VICE PLANS; 15
(III) HEALTH MAINTENANCE O RGANIZATIONS ; 16
(IV) DENTAL PLAN ORGANIZA TIONS; 17
(V) PHARMACY BENEFITS MANAGERS ; AND 18
(VI) ANY OTHER ENTITY PRO VIDING A PLAN OF HEA LTH 19
INSURANCE, HEALTH BENEFITS , OR HEALTH SERVICES A UTHORIZED UNDER THIS 20
ARTICLE OR THE AFFORDABLE CARE ACT; 21
(2) INFORMATION ABOUT EA CH CERTIFICATION COL LECTED, 22
INCLUDING: 23
(I) THE NAME OF THE HEAL THCARE ECOSYSTEM ENT ITY; 24
(II) THE DATE OF THE HEAL THCARE ECOSYSTEM ENT ITY’S MOST 25
RECENT CYBERSECURITY AUDIT; 26
(III) THE CYBERSECURITY FR AMEWORK USED IN THE 27
CYBERSECURITY AUDIT OF THE HEALTHCARE EC OSYSTEM ENTITY ; AND 28
10 SENATE BILL 691
(IV) THE NAME OF THE THIRD PA RTY THAT COMPLETED T HE 1
CYBERSECURITY AUDIT ; 2
(3) AN OVERVIEW OF ESSEN TIAL CAPABILITIES PR OVIDED BY THE 3
HEALTHCARE ECOSYSTEM ENTITY; 4
(4) RECOMMENDATIONS FOR ENSURING THE CONTINU OUS DELIVERY 5
OF ESSENTIAL CAPABIL ITIES DURING AND FOL LOWING A DISRUPTION T O THE 6
HEALTHCARE ECOSYSTEM ; AND 7
(5) RECOMMENDATIONS TO I MPROVE CYBERSECURITY FOR THE 8
GROUPS OF HEALTHCARE ECOSYSTEM ENTITIES I DENTIFIED IN ITEM (1) OF THIS 9
SUBSECTION. 10
Article – State Finance and Procurement 11
3.5–101. 12
(a) In this title the following words have the meanings indicated. 13
(c) “Department” means the Department of Information Technology. 14
3.5–2A–01. 15
(a) In this subtitle the following words have the meanings indicated. 16
(b) “Council” means the Maryland Cybersecurity Coordinating Council. 17
(c) “Office” means the Office of Security Management. 18
3.5–2A–07. 19
(A) (1) IN THIS SECTION THE F OLLOWING WORDS HAVE THE MEANINGS 20
INDICATED. 21
(2) “HEALTHCARE ECOSYSTEM ” MEANS THE ENTITIES A ND 22
RELATIONSHIPS AMONG ENTITIES THAT ARE NECESSARY TO DELIVER HEALTH CARE 23
TREATMENT , PAYMENT, AND HEALTH CARE OPER ATIONS. 24
(3) “HEALTHCARE ECOSYSTEM ENTITY” INCLUDES: 25
(I) A CARRIER; 26
(II) AN ELECTRONIC DATA I NTERCHANGE CLEARINGH OUSE; 27
SENATE BILL 691 11
(III) A FREESTANDING MEDIC AL FACILITY; 1
(IV) A HOSPITAL; 2
(V) A PHARMACY BENEFITS MANAGER; 3
(VI) A HEALTH INFORMATION EXCHANGE; AND 4
(VII) ANY OTHER ENTITY IDE NTIFIED BY THE MARYLAND 5
HEALTH CARE COMMISSION OR THE MARYLAND INSURANCE ADMINISTRATION IN 6
REGULATIONS TO BE IN CLUDED IN THE HEALTH CARE ECOSYSTEM. 7
(B) (1) A HEALTHCARE ECOSYSTEM ENTITY SHALL REPORT , IN 8
ACCORDANCE WITH THE PROCESS ESTABLISHED UNDER PARAGRAPH (2) OF THIS 9
SUBSECTION, A CYBERSECURITY INCI DENT, INCLUDING AN ATTACK ON A SYSTEM 10
BEING USED BY THE HE ALTHCARE ECOSYSTEM E NTITY, TO THE STATE SECURITY 11
OPERATIONS CENTER IN THE DEPARTMENT . 12
(2) THE OFFICE, IN CONSULTATION WITH THE MARYLAND HEALTH 13
CARE COMMISSION AND THE MARYLAND INSURANCE ADMINISTRATION , SHALL 14
ESTABLISH A PROCESS FOR A HEALTHCARE ECO SYSTEM ENTITY TO REP ORT A 15
CYBERSEC URITY INCIDENT UNDER PARAGRAPH (1) OF THIS SUBSECTION , 16
INCLUDING: 17
(I) THE CRITERIA FOR DET ERMINING THE CIRCUMS TANCES 18
UNDER WHICH A CYBERS ECURITY INCIDENT MUS T BE REPORTED ; 19
(II) THE MANNER IN WHICH A CYBERSECURITY INCI DENT MUST 20
BE REPORTED ; AND 21
(III) THE TIME PERIOD WITH IN WHICH A CYBERSECU RITY 22
INCIDENT MUST BE REP ORTED. 23
(3) THE STATE SECURITY OPERATIONS CENTER IMMEDIATELY 24
SHALL NOTIFY APPROPR IATE STATE AND LOCAL AGENC IES OF A CYBERSECURI TY 25
INCIDENT REPORTED UN DER THIS SUBSECTION . 26
(4) (I) ON OR BEFORE JULY 1 EACH YEAR, BEGINNING IN 2026, 27
THE OFFICE SHALL REPORT T O THE GOVERNOR, THE COUNCIL, AND, IN 28
ACCORDANCE WITH § 2–1257 OF THE STATE GOVERNMENT ARTICLE, THE GENERAL 29
ASSEMBLY ON THE NUMBE R OF CYBERSECURITY I NCIDENTS AND TYPES O F 30
CYBERSECURI TY INCIDENTS REPORTE D UNDER PARAGRAPH (1) OF THIS 31
SUBSECTION IN THE IM MEDIATELY PRECEDING CALENDAR YEAR . 32
12 SENATE BILL 691
(II) A REPORT SUBMITTED IN ACCORDANCE WITH 1
SUBPARAGRAPH (I) OF THIS PARAGRAPH MA Y NOT IDENTIFY A HEA LTHCARE 2
ECOSYSTEM ENTITY THA T REPORTED AN INCID ENT TO THE OFFICE OR A 3
HEALTHCARE ECOSYSTEM ENTITY THAT WAS DIRE CTLY AFFECTED BY AN INCIDENT 4
REPORTED TO THE CENTER. 5
3.5–301. 6
(a) In this subtitle the following words have the meanings indicated. 7
(c) “Cybersecurity” means processes or capabilities wherein systems, 8
communications, and information are protected and defended against damage, 9
unauthorized use or modification, and exploitation. 10
SECTION 2. AND BE IT FURTHER ENACTED, That the Laws of Maryland read 11
as follows: 12
Article – Health – General 13
19–113. 14
(F) THE COMMISSION, IN CONSULTATION WITH THE DEPARTMENT OF 15
INFORMATION TECHNOLOGY , SHALL ADOPT REGULATI ONS TO IMPLEMENT 16
CYBERSECURITY STANDA RDS AND PROCEDURES T O: 17
(1) PREVENT DISRUPTIONS T O THE HEALTHCARE ECO SYSTEM; 18
(2) ENABLE THE DELIVERY OF ESSENTIAL CAPABIL ITIES BY THE 19
HEALTHCARE ECOSYSTEM ; AND 20
(3) SUPPORT RECOVERY FROM AN INCIDENT THAT DIS RUPTS THE 21
HEALTHCARE ECOSYSTEM . 22
(G) THE COMMISSION, IN CONJUNCTION WITH THE MARYLAND 23
DEPARTMENT OF EMERGENCY MANAGEMENT , THE DEPARTMENT OF 24
INFORMATION TECHNOLOGY , AND THE MARYLAND INSURANCE ADMINISTRATION , 25
SHALL REGULARLY CONV ENE A STAKEHOLDER WO RKGROUP TO REVIEW 26
CYBERSECURITY PRACTI CES, THREATS, RESPONSES TO DISRUPT IONS, AND 27
EMERGING ISSUES AFFE CTING THE HEALTHCARE ECOSYSTEM. 28
Article – Insurance 29
2–117. 30
SENATE BILL 691 13
(F) THE ADMINISTRATION , IN CONSULTATION WITH THE DEPARTMENT OF 1
INFORMATION TECHNOLOGY , SHALL ADOPT REGULATI ONS TO IMPLEMENT 2
CYBERSECURITY STANDA RDS AND PROCEDURES T O: 3
(1) PREVENT DISRUPTIONS TO THE HEALTHCARE EC OSYSTEM; 4
(2) ENABLE TH E DELIVERY OF ESSENT IAL CAPABILITIES BY THE 5
HEALTHCARE ECOSYSTEM ; AND 6
(3) SUPPORT RECOVERY FRO M AN INCIDENT THAT D ISRUPTS THE 7
HEALTHCARE ECOSYSTEM . 8
SECTION 3. AND BE IT FURTHER ENACTED, That: 9
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 10
That: 11
(a) (1) In this section the following words have the meanings indicated. 12
(2) “Cybersecurity” has the meaning stated in § 3.5–301 of the State 13
Finance and Procurement Article. 14
(3) “Essential capabilities” means the services that must be available in 15
the healthcare ecosystem to ensure the continuity of critical care and patient safety, 16
including during an incident diminishing the capacity of the healthcare ecosystem. 17
(4) “Healthcare ecosystem” means the entities and relationships among 18
entities that are necessary to deliver treatment, payment, and health care operations. 19
(5) (i) “Healthcare ecosystem entity” includes: 20
1. a carrier, as defined in § 2–117 of the Insurance Article; 21
2. an electronic data interchange clearinghouse; 22
3. a freestanding medical facility, as defined in § 19–3A–01 23
of the Health – General Article; 24
4. a health information exchange, as defined in § 4–301 of the 25
Health – General Article; 26
5. a hospital, as defined in § 19–301 of the Health – General 27
Article; and 28
6. a pharmacy benefits manager, as defined in § 15–1601 of 29
the Insurance Article. 30 14 SENATE BILL 691
(ii) “Healthcare ecosystem entity” does not include a governmental 1
payor. 2
(6) “Health care operations” has the meaning stated in 45 C.F.R. § 164.501. 3
(7) “Payment” has the meaning stated in 45 C.F.R. § 164.501. 4
(8) “Treatment” has the meaning stated in 45 C.F.R. § 164.501. 5
(9) “Workgroup” means the Healthcare Ecosystem Stakeholder 6
Cybersecurity Workgroup. 7
(b) (1) The Maryland Health Care Commission shall convene a healthcare 8
ecosystem stakeholder workgroup to study and make recommendations to improve the 9
cybersecurity of the healthcare ecosystem in the State There is a Healthcare Ecosystem 10
Stakeholder Cybersecurity Workgroup. 11
(2) The purpose of the Workgroup is to develop strategies to: 12
(i) prevent cybersecurity disruptions to healthcare ecosystem 13
operations; 14
(ii) ensure the continuous delivery of essential healthcare ecosystem 15
services; and 16
(iii) enhance recovery efforts of the healthcare ecosystem following a 17
cybersecurity incident. 18
(c) The Workgroup consists of the following members: 19
(1) one member of the Senate of Maryland, appointed by the President of 20
the Senate; 21
(2) one member of the House of Delegates, appointed by the Speaker of the 22
House; 23
(3) the Chairman of the Maryland Health Care Commission, or the 24
Chairman’s designee; 25
(4) the Maryland Insurance Commissioner, or the Commissioner’s 26
designee; 27
(5) the Secretary of Emergency Management, or the Secretary’s designee; 28
(6) the State Chief Information Security Officer, or the State Chief Officer’s 29
designee; 30 SENATE BILL 691 15
(7) two representatives from the Subcommittee on Critical Infrastructure 1
of the Maryland Cybersecurity Council, appointed by the Chair of the Maryland 2
Cybersecurity Council; 3
(8) one representative from each of the following organizations, designated 4
by the head of the organization: 5
(i) one representative of the Cooperative Exchange; 6
(ii) one representative of the Electronic Health Record Association; 7
(iii) one representative of the Maryland League of Life and Health 8
Insurers; 9
(iv) one representative of the Maryland Hospital Association; and 10
(v) one representative of the Maryland Cybersecurity Association; 11
(9) one representative of a pharmacy benefits manager, appointed by the 12
Maryland Insurance Commissioner; 13
(10) the following representatives appointed by the Chairman of the 14
Maryland Health Care Commission: 15
(i) one representative of an electronic data interc hange 16
clearinghouse; 17
(ii) one representative of a freestanding medical facility; 18
(iii) one representative of a large hospital; 19
(iv) one representative of a small hospital; 20
(v) one representative of an inpatient psychiatric hospital; and 21
(vi) one representative of a health information exchange; and 22
(11) three representatives of a patient advocacy group, jointly appointed by 23
the Chairman of the Maryland Health Care Commission and the Maryland Insurance 24
Commissioner. 25
(d) The Chairman of the Maryland Health Care Commission, or the Chairman’s 26
designee, and the Maryland Insurance Commissioner, or the Commissioner’s designee, 27
shall cochair the Workgroup. 28
16 SENATE BILL 691
(e) The Maryland Health Care Commission and the Maryland Insurance 1
Administration shall provide staff for the Workgroup. 2
(f) A member of the Workgroup: 3
(1) may not receive compensation as a member of the Workgroup; but 4
(2) is entitled to reimbursement for expenses under the Standard State 5
Travel Regulations, as provided in the State budget. 6
(g) The workgroup Workgroup shall: 7
(1) identify essential capabilities required for the delivery of health care 8
during a cybersecurity attack; 9
(2) identify functional requirements for the healthcare ecosystem to be 10
capable of providing the essential capabilities identified under item (1) of this subsection; 11
(3) identify and map all healthcare ecosystem entities in the State against 12
the essential health care capabilities and identified functional requirements; 13
(4) identify which healthcare ecosystem entities are needed, directly or 14
indirectly, to provide the essential capabilities identified under item (1) of this subsection; 15
(5) identify other issues related to cybersecurity in the healthcare 16
ecosystem develop an ecosystem cybersecurity threat and risk assessment based on the 17
essential health care capabilities and supporting functions; 18
(6) examine cybersecurity challenges affecting the healthcare ecosystem 19
based on the threat and risk assessment; 20
(6) (7) review best practices for cybersecurity and processes used in the 21
healthcare ecosystem, including NIST 800–207, NIST 800–207A, NIST 800–53A, the NIST 22
Cybersecurity Framework, HICP Technical Volume 1, and HICP Technical Volume 2; and 23
(7) provide guidance for the Maryland Health Care Commission and the 24
Maryland Insurance Administration regarding the adoption and maintenance of 25
cybersecurity regulatory standards. 26
(8) make recommendations for adopting and maintaining cybersecurity 27
regulatory standards; and 28
(9) make recommendations for ensuring that essential capabilities and 29
supporting functions are resilient to disruption. 30
(d) (h) (1) On or before July January 1, 2026, the Maryland Health Care 31
Commission Workgroup shall submit an interim report defining the scope and contents of 32 SENATE BILL 691 17
the State’s healthcare ecosystem of its findings and recommendations to the Governor, the 1
Secretary of Emergency Management, the Chairman of the Maryland Health Care 2
Commission, the Maryland Insurance Commissioner, the State Chief Information Security 3
Officer, and, in accordance with § 2–1257 of the State Government Article, the General 4
Assembly. 5
(2) On or before July December 1, 2028 2026, the Maryland Health Care 6
Commission Workgroup shall submit a final report of the findings and recommendations of 7
the workgroup to the Governor, the Secretary of Emergency Management, the Chairman 8
of the Maryland Health Care Commission, the Maryland Insurance Commissioner, the 9
State Chief Information Security Officer, and, in accordance with § 10
2–1257 of the State Government Article, the General Assembly. 11
SECTION 4. AND BE IT FURTHER ENACTED, That Section 2 of this Act shall take 12
effect July 1, 2028. 13
SECTION 5. 2. AND BE IT FURTHER ENACTED, That , except as provided in 14
Section 4 of this Act, this Act shall take effect July 1, 2025. Section 3 of this Act It shall 15
remain effective for a period of 4 2 years and, at the end of June 30, 2029 2027, Section 3 of 16
this Act, with no further action required by the General Assembly, shall be abrogated and 17
of no further force and effect. 18
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.