[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4336 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
2d Session
S. 4336
To require the Secretary of Health and Human Services, in consultation
with the Director of the Cybersecurity and Infrastructure Security
Agency, to annually review and as appropriate update guidance for
industry and Food and Drug Administration staff on medical device
cybersecurity, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 26, 2022
Ms. Rosen (for herself and Mr. Young) introduced the following bill;
which was read twice and referred to the Committee on Health,
Education, Labor, and Pensions
_______________________________________________________________________
A BILL
To require the Secretary of Health and Human Services, in consultation
with the Director of the Cybersecurity and Infrastructure Security
Agency, to annually review and as appropriate update guidance for
industry and Food and Drug Administration staff on medical device
cybersecurity, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening Cybersecurity for
Medical Devices Act''.
SEC. 2. GUIDANCE FOR INDUSTRY AND FDA STAFF ON MEDICAL DEVICE
CYBERSECURITY.
(a) In General.--Not later than 2 years after the date of enactment
of this Act, and every 2 years thereafter, the Secretary of Health and
Human Services (referred to in this Act as the ``Secretary''), in
consultation with the Director of the Cybersecurity and Infrastructure
Security Agency, shall review and, as appropriate and after soliciting
and receiving feedback from medical device manufacturers, health care
providers, and patient advocates, update the guidance entitled
``Content of Premarket Submissions for Management of Cybersecurity in
Medical Devices'' (or a successor document).
(b) Updating Specific Provisions.--In updating the guidance under
subsection (a), the Secretary may update specific provisions of the
guidance, after notice and comment, without reissuing the guidance.
SEC. 3. RESOURCES REGARDING CYBERSECURITY OF MEDICAL DEVICES.
Not later than 180 days after the date of enactment of this Act,
and not less than annually thereafter, the Secretary shall update
public information provided by the Food and Drug Administration,
including through the webpage on medical devices on the website of the
Food and Drug Administration, with information regarding improving
cybersecurity of medical devices. Such information shall include
information on identifying and addressing cyber vulnerabilities for
health care providers, health systems, and medical device
manufacturers, and how such entities may access support through the
Cybersecurity and Infrastructure Security Agency and other Federal
entities, including the Department of Health and Human Services, to
improve cybersecurity of medical devices.
SEC. 4. GAO REPORT.
Not later than 1 year after the date of enactment of this Act, the
Comptroller General of the United States shall publish a report
identifying challenges in cybersecurity for medical devices, including
legacy devices that may not support certain software security updates.
Through such report, the Comptroller General shall examine--
(1) challenges for medical device manufacturers, health
care providers, health systems, and patients in accessing
Federal support to address vulnerabilities across Federal
agencies; and
(2) how Federal agencies can strengthen coordination to
better support cybersecurity for medical devices.
<all>