Conn. Gen. Stat. § 19a-NEW
Not later than January 1, 2025, and not less than annually thereafter, each hospital licensed pursuant to chapter 368v of the general statutes, except any such hospital that is operated exclusively by the state, shall (1) submit the hospital's plans and processes to respond to a cybersecurity disruption of the hospital's operations to an audit by an independent, certified cybersecurity auditor or cybersecurity expert credentialed by the Information Systems Audit and Control Association, or similar entity that provides such credentials, to determine the adequacy of such plans and processes and identify any necessary improvements to such plans and processes, and (2) make available for inspection on a confidential basis to the Departments of Public Health and Administrative Services and the Division of Emergency Management and Homeland Security within the Department of Emergency Services and Public Protection information regarding whether such plans and processes have been determined to be adequate pursuant to such audit and the steps the hospital is taking to implement any recommended improvements by the auditor. Any recipient of the information submitted or made available pursuant to this section shall maintain the maximum level of confidentiality allowed under law for such information and shall not disclose such information except as expressly required by law. The information submitted or made available pursuant to this section shall be exempt from disclosure under the Freedom of Information Act, as defined in section 1-200 of the general statutes.
Conn. Gen. Stat. § 19a-NEW