ME LD2103

Licensed hospitals must adopt and annually update a cybersecurity plan and submit it to the Department of Health and Human Services

Cybersecurity plans must include timely notification procedures for intrusions to law enforcement, patients, health care providers, municipalities, and state regulators

Plans must address backup communications, patient triage, diversion of services, regional hospital partnerships, and patient complaint processes to ensure continuity of care during cyber incidents

Hospitals must provide cybersecurity training for employees, board members, and affiliated organizations, and conduct annual test runs of their cybersecurity plans

Cybersecurity intrusions that impact patients' access to medical care are added to the definition of "sentinel event," requiring mandatory reporting