S.1656 - Medical Device Cybersecurity Act of 2017115th Congress (2017-2018) |
|Sponsor:||Sen. Blumenthal, Richard [D-CT] (Introduced 07/27/2017)|
|Committees:||Senate - Health, Education, Labor, and Pensions|
|Latest Action:||Senate - 07/27/2017 Read twice and referred to the Committee on Health, Education, Labor, and Pensions. (All Actions)|
This bill has the status Introduced
Here are the steps for Status of Legislation:
- Passed Senate
- Passed House
- To President
- Became Law
Summary: S.1656 — 115th Congress (2017-2018)All Information (Except Text)
Introduced in Senate (07/27/2017)
Medical Device Cybersecurity Act of 2017
This bill amends the Federal Food, Drug, and Cosmetic Act to require the Food and Drug Administration (FDA), in coordination with others, to create a cybersecurity report card for devices that have network or Internet connectivity, connect to an external drive or external media, or have any other cyber capability.
Report cards must contain specified information, including: (1) information pertaining to the essential elements described in the most recent version of the Manufacturer Disclosure Statement for Medical Device Security, (2) a cybersecurity risk assessment conducted by the manufacturer or third party, and (3) whether the device is capable of being accessed remotely.
A cyber device manufacturer must include a report card in any premarket notification or application for premarket approval. The FDA shall provide a copy of a device's report card if requested by a health care industry entity or an entity with a valid interest in the report card.
The bill establishes procedures, including notifications to providers and patients, for manufacturers when cyber devices are remotely accessed or no longer going to be sold. Fixes and updates to cyber devices must be free of charge for specified time periods.
The bill expands the responsibilities of the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team to include investigating cybersecurity vulnerabilities of cyber devices that may cause harm to human life or the significant misuse of personal health information, and coordinating device-specific responses.