SB 403, An Act Concerning Cybersecurity

TESTIMONY OF THE CONNECTICUT HOSPITAL ASSOCIATION
SUBMITTED TO THE PUBLIC SAFETY AND SECURITY COMMITTEE

Tuesday, March 10, 2026

The Connecticut Hospital Association (CHA) appreciates this opportunity to submit testimony concerning SB 403, An Act Concerning Cybersecurity.  CHA opposes the bill as written.

Connecticut hospitals make our state stronger by delivering nationally recognized, world-class care, supporting jobs and economic growth, and serving communities across Connecticut.  Every day, hospitals improve access, affordability, and health equity — providing care to all patients regardless of ability to pay.  At the same time, hospitals invest in their workforce and local communities, even as they navigate significant financial and federal challenges.

SB 403 seeks to create new obligations relating to cybersecurity in various industry sectors.  To the extent the bill addresses the oversight of healthcare-involved technology assets, systems, and infrastructure, we urge caution for three key reasons, detailed below.

Key Issue #1: Misapplication of National Institute of Standard and Technology (NIST) Cybersecurity Framework 2.0

SB 403 elevates the NIST cybersecurity framework beyond its intended use by seeking “compliance with” the NIST Cybersecurity Framework 2.0.  NIST transparently and unequivocally states that the Cybersecurity Framework 2.0 is for guidance.  It is not meant to be like a regulation, and it expressly provides that it “does not prescribe how outcomes should be achieved.”  The NIST Framework is intended for organizations to utilize as a resource to learn from, not as a strict set of compliance standards. 

The below is quoted directly from NIST: 

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This document describes CSF 2.0, its components, and some of the many ways that it can be used.

Key Issue #2: Failure to Prioritize HIPAA For Healthcare

SB 403 does not adequately recognize or address the differences between Health Insurance Portability and Accountability Act (HIPAA) security rules and the NIST Cybersecurity Framework.  Specifically, SB 403 does not take into account that HIPAA-governed enterprises must follow HIPAA security rules that set other priorities, domains, and focus areas essential for healthcare’s stewardship of data.  HIPAA governed entities include most healthcare providers, health insurers, and the Medicare and Medicaid programs (including the Department of Social Services (DSS) in its role as the state agency responsible for Medicaid).  

We are currently awaiting the final version of an updated HIPAA Security rule, first published as a proposed rule in February 2025.  To be clear, the proposed HIPAA updates were published after the updated NIST Cybersecurity Framework 2.0 was published.  Yet, the proposed HIPAA Security Rule updates do not seek to mandate that the NIST Cybersecurity Framework 2.0 be used by healthcare providers as a set of compliance standards. 

Key Issue #3: Premature And Rapid Uptake of Quantum-Transition Readiness

Section 6 of the bill mandates that each “critical infrastructure entity, health care provider, financial institution and state agency shall adopt a quantum-transition readiness posture, including, but not necessarily limited to, planning for migration toward post-quantum cryptography approved by the National Institute of Standards and Technology.” 

While we appreciate that quantum-transition readiness is a laudable goal, the abrupt and mandated timeline is unreasonable and would be extraordinarily expensive for the state and impacted businesses.  In all cases, the costs of compliance with this provision would crowd out the budget for the core mission of an entity or agency tasked with compliance.  

Other Issues

In addition to the three key issues discussed above, other parts of the bill are unclear and excessively wide in scope.

• New mandated breach reporting in Section 4 is overly broad and its scope poorly outlined.
• Providing complete statutory immunity for “vetted security researchers” (known in the industry as “white hat teams” or “ethical hackers”) in Section 8, including with respect to state-based healthcare providers and hospitals, is problematic. This type of work is ubiquitous in high-technology industries through contractual arrangements where risk and losses can be clearly anticipated and controlled.  A broad immunity law that does not follow contractual controls is misaligned with state contracting rules and likely violates HIPAA depending on the work performed and whether business associate arrangement contracts are in place. 
   
• HIPAA privacy and security rules already contain robust “whistleblower” components, making the bill’s Section 3 both unnecessary and misaligned with existing federal law for healthcare providers and insurers.

We appreciate the state’s interest in protecting critical infrastructure.  We do not believe the bill, as drafted, will foster better protection for healthcare and will instead conflict with existing federal law and impose significant financial and workforce burdens to implement.  More industry specific input is needed to avoid unintended consequences and confusion in the field. 

Thank you for your consideration of our position.  For additional information, contact CHA Government Relations at (203) 294-7301.