Maine committee hears wide support for bill requiring hospital cybersecurity plans, hospitals warn of duplication and cost

Representative Julie McCabe introduced LD 2103 at a public hearing of the Legislature's Health and Human Services Committee on Feb. 24, saying the bill's goals are "to help prevent cybersecurity attacks on our hospital systems, and ... to ensure continuity of patient care when future cyberattacks inevitably occur."

The sponsor framed the bill as a response to two large incidents last spring that affected multiple hospitals and outpatient offices, which she said impacted more than 400,000 patients and exposed gaps in communication, triage and continuity of care. The proposal would require hospitals to adopt written cybersecurity plans, conduct annual staff training and penetration testing, run tabletop simulations, create mutual-aid compacts with nearby providers, and prioritize restoration of clinical systems based on patient acuity and census. It also calls for an accounting of the health impacts from past incidents.

The hearing drew broad support from patients, nurses, elder-advocacy groups and cybersecurity experts who described concrete clinical harms when networks were unavailable. Dr. Christian DeMath, an emergency physician and researcher, said hospitals without cyber-specific plans saw "huge spikes in emergency department patient volumes, prolonged wait times, record high ambulance diversions, and worse outcomes," and warned that when clinicians cannot use technology "patient care suffers."

Nurses who testified described working without electronic fetal monitoring, slower scanning of newborn records into charts, diverted patients and a loss of community trust. Mariah Pfeiffer, an RN in labor and delivery at Central Maine Medical Center, said staff still feel the effects of the downtime and urged the state to coordinate support so local hospitals are not left to handle large outages alone.

Advocacy groups emphasized patient-facing consequences. Bridget Quinn of AARP Maine said the measure aligns with consumer-protection principles and would reduce delays in care and the risk that sensitive personal information is exposed or exploited. Legal Services for Maine Elders highlighted difficulties older, medically complex patients faced obtaining prescriptions and appointments during the outage.

Hospital leaders and their legal counsel opposed parts of the bill. Wynn Brown, president of Saint Mary's Health System, told the committee that while the system's response focused on patients and staff, the proposed statute could impose new administrative costs and duplicate federal requirements under HIPAA. Jeff Austin of the Maine Hospital Association called the proposal an "expensive, unfunded mandate," and warned that insurers and law enforcement involvement during incidents limits what hospitals can do and report.

Hospitals and their counsel also flagged operational and confidentiality concerns with requiring submission of detailed cybersecurity audits to a state repository, saying such compilations could create new security risks. DHHS officials testified neither for nor against but suggested amendments to balance oversight with confidentiality, proposing post-incident reviews, limited public disclosure, and technical changes to annual-update language.

Committee members asked for comparative examples from other states and for technical follow-up at a work session planned in the coming weeks. Representative Meyer closed the hearing, noting that deliberation and formal debate would occur in the work session.

The committee did not take a vote on LD 2103 at the Feb. 24 hearing; members asked staff for additional information and scheduled follow-up work-session review.