[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3985 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 3985

To establish a working group of public and private entities led by the 
  Food and Drug Administration to recommend voluntary frameworks and 
   guidelines to increase the security and resilience of Internet of 
            Medical Things devices, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 5, 2017

   Mr. Trott (for himself and Mrs. Brooks of Indiana) introduced the 
   following bill; which was referred to the Committee on Energy and 
                                Commerce

_______________________________________________________________________

                                 A BILL


 
To establish a working group of public and private entities led by the 
  Food and Drug Administration to recommend voluntary frameworks and 
   guidelines to increase the security and resilience of Internet of 
            Medical Things devices, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Internet of Medical Things 
Resilience Partnership Act of 2017''.

SEC. 2. STUDY ON THE SECURITY AND RESILIENCE OF CERTAIN MEDICAL 
              DEVICES.

    (a) Study.--Not later than 5 months after the date of enactment of 
this Act, the Commissioner of the Food and Drug Administration, in 
consultation with the National Institute of Standards and Technology, 
shall establish a working group of public and private entities to 
develop recommendations for voluntary frameworks and guidelines to 
increase the security and resilience of networked medical devices sold 
in the United States that store, receive, access, or transmit 
information to an external recipient or system for which unauthorized 
access, modification, misuse, or denial of use may result in patient 
harm.
    (b) Working Group.--
            (1) In general.--In developing the recommendations under 
        subsection (a), the Commissioner shall seek input from a 
        working group representing the Federal Government, industry, 
        and academia.
            (2) Chairperson.--The Commissioner of the Food and Drug 
        Administration, or a designee of the Commissioner, shall serve 
        as the chairperson of the working group established under 
        paragraph (1).
            (3) Membership.--Membership of the working group shall 
        include a representative from each of the following:
                    (A) The Center for Devices and Radiological Health 
                of the Food and Drug Administration.
                    (B) The Office of the National Coordinator for 
                Health Information Technology of the Department of 
                Health and Human Services.
                    (C) The Office of Technology Research and 
                Investigation of the Federal Trade Commission.
                    (D) The Cybersecurity and Communications 
                Reliability Division of the Federal Communications 
                Commission.
                    (E) The National Institute of Standards and 
                Technology of the Department of Commerce.
                    (F) The National Cyber Security Alliance.
            (4) Appointed members.--The chairperson shall appoint to 
        the working group a minimum of 3 qualified representatives from 
        each of the following private sector categories:
                    (A) Medical device manufacturers.
                    (B) Health care providers.
                    (C) Health insurance providers.
                    (D) Cloud computing.
                    (E) Wireless network providers.
                    (F) Enterprise security solutions systems.
                    (G) Health information technology.
                    (H) Web-based mobile application developers.
                    (I) Software developers.
                    (J) Hardware developers.
    (c) Report.--Not later than 18 months after the date of enactment 
of this Act, the Commissioner shall submit to Congress a report on the 
recommendations developed under subsection (a), including--
            (1) an identification of existing cybersecurity standards, 
        guidelines, frameworks, and best practices that are applicable 
        to mitigate vulnerabilities in the devices described in 
        subsection (a);
            (2) an identification of existing and developing 
        international and domestic cybersecurity standards, guidelines, 
        frameworks, and best practices that mitigate vulnerabilities in 
        such devices;
            (3) a specification of high-priority gaps for which new or 
        revised standards are needed; and
            (4) potential action plans by which such gaps can be 
        addressed.
                                 <all>