117 S4336 IS: Strengthening Cybersecurity for Medical Devices Act U.S. Senate 2022-05-26 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

II117th CONGRESS2d SessionS. 4336IN THE SENATE OF THE UNITED STATESMay 26, 2022Ms. Rosen (for herself and Mr. Young) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and PensionsA BILLTo require the Secretary of Health and Human Services, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, to annually review and as appropriate update guidance for industry and Food and Drug Administration staff on medical device cybersecurity, and for other purposes.

1.

Short title

This Act may be cited as the Strengthening Cybersecurity for Medical Devices Act.

2.

Guidance for industry and FDA staff on medical device cybersecurity

(a)

In general

Not later than 2 years after the date of enactment of this Act, and every 2 years thereafter, the Secretary of Health and Human Services (referred to in this Act as the Secretary), in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall review and, as appropriate and after soliciting and receiving feedback from medical device manufacturers, health care providers, and patient advocates, update the guidance entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (or a successor document).(b)

Updating specific provisions

In updating the guidance under subsection (a), the Secretary may update specific provisions of the guidance, after notice and comment, without reissuing the guidance.

3.

Resources regarding cybersecurity of medical devices

Not later than 180 days after the date of enactment of this Act, and not less than annually thereafter, the Secretary shall update public information provided by the Food and Drug Administration, including through the webpage on medical devices on the website of the Food and Drug Administration, with information regarding improving cybersecurity of medical devices. Such information shall include information on identifying and addressing cyber vulnerabilities for health care providers, health systems, and medical device manufacturers, and how such entities may access support through the Cybersecurity and Infrastructure Security Agency and other Federal entities, including the Department of Health and Human Services, to improve cybersecurity of medical devices.

4.

GAO report

Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall publish a report identifying challenges in cybersecurity for medical devices, including legacy devices that may not support certain software security updates. Through such report, the Comptroller General shall examine—(1)challenges for medical device manufacturers, health care providers, health systems, and patients in accessing Federal support to address vulnerabilities across Federal agencies; and (2)how Federal agencies can strengthen coordination to better support cybersecurity for medical devices.