[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4336 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  2d Session
                                S. 4336

To require the Secretary of Health and Human Services, in consultation 
  with the Director of the Cybersecurity and Infrastructure Security 
   Agency, to annually review and as appropriate update guidance for 
   industry and Food and Drug Administration staff on medical device 
                 cybersecurity, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 26, 2022

 Ms. Rosen (for herself and Mr. Young) introduced the following bill; 
     which was read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
To require the Secretary of Health and Human Services, in consultation 
  with the Director of the Cybersecurity and Infrastructure Security 
   Agency, to annually review and as appropriate update guidance for 
   industry and Food and Drug Administration staff on medical device 
                 cybersecurity, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Strengthening Cybersecurity for 
Medical Devices Act''.

SEC. 2. GUIDANCE FOR INDUSTRY AND FDA STAFF ON MEDICAL DEVICE 
              CYBERSECURITY.

    (a) In General.--Not later than 2 years after the date of enactment 
of this Act, and every 2 years thereafter, the Secretary of Health and 
Human Services (referred to in this Act as the ``Secretary''), in 
consultation with the Director of the Cybersecurity and Infrastructure 
Security Agency, shall review and, as appropriate and after soliciting 
and receiving feedback from medical device manufacturers, health care 
providers, and patient advocates, update the guidance entitled 
``Content of Premarket Submissions for Management of Cybersecurity in 
Medical Devices'' (or a successor document).
    (b) Updating Specific Provisions.--In updating the guidance under 
subsection (a), the Secretary may update specific provisions of the 
guidance, after notice and comment, without reissuing the guidance.

SEC. 3. RESOURCES REGARDING CYBERSECURITY OF MEDICAL DEVICES.

    Not later than 180 days after the date of enactment of this Act, 
and not less than annually thereafter, the Secretary shall update 
public information provided by the Food and Drug Administration, 
including through the webpage on medical devices on the website of the 
Food and Drug Administration, with information regarding improving 
cybersecurity of medical devices. Such information shall include 
information on identifying and addressing cyber vulnerabilities for 
health care providers, health systems, and medical device 
manufacturers, and how such entities may access support through the 
Cybersecurity and Infrastructure Security Agency and other Federal 
entities, including the Department of Health and Human Services, to 
improve cybersecurity of medical devices.

SEC. 4. GAO REPORT.

    Not later than 1 year after the date of enactment of this Act, the 
Comptroller General of the United States shall publish a report 
identifying challenges in cybersecurity for medical devices, including 
legacy devices that may not support certain software security updates. 
Through such report, the Comptroller General shall examine--
            (1) challenges for medical device manufacturers, health 
        care providers, health systems, and patients in accessing 
        Federal support to address vulnerabilities across Federal 
        agencies; and
            (2) how Federal agencies can strengthen coordination to 
        better support cybersecurity for medical devices.
                                 <all>