[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 4939 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
2d Session
S. 4939
To require the Secretary of Health and Human Services to review certain
medical devices manufactured in the People's Republic of China for
potential cybersecurity issues, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 24, 2026
Mr. Cotton introduced the following bill; which was read twice and
referred to the Committee on Health, Education, Labor, and Pensions
_______________________________________________________________________
A BILL
To require the Secretary of Health and Human Services to review certain
medical devices manufactured in the People's Republic of China for
potential cybersecurity issues, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Countering Chinese Cyberthreats for
Patients Act'' or the ``Countering CCP Act''.
SEC. 2. REVIEW AND RECALL OF CERTAIN MEDICAL DEVICES MANUFACTURED IN
THE PEOPLE'S REPUBLIC OF CHINA.
(a) Review of Certain Devices.--
(1) In general.--The Secretary of Health and Human
Services, acting through the Commissioner of Food and Drugs
(referred to in this section as the ``Secretary''), in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency, shall review each covered
device for potential cybersecurity issues.
(2) Request for information.--
(A) In general.--Not later than 180 days after the
date of enactment of this Act, the Secretary, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency, shall request from each
covered manufacturer of a covered device such
information as is necessary to conduct the review under
paragraph (1), including--
(i) a software bill of materials for the
covered device, including commercial, open-
source, and off-the-shelf software components,
and data mapping and architecture
documentation;
(ii) locations of entities, information
systems, and servers holding patient data; and
(iii) any other information the Secretary
determines necessary.
(B) Requirements.--In determining the form and
scope of information to request under subparagraph (A),
the Secretary, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, shall
analyze covered devices and seek information, including
information on any processes and procedures of the
covered manufacturer, that, as determined by Secretary,
in consultation with the Director of the Cybersecurity
and Infrastructure Security Agency--
(i) would provide a reasonable assurance
that the covered device and related systems are
and will remain cybersecure; and
(ii) would provide a reasonable assurance
that patient data would not be stored or
transferred through systems or servers located
in, owned, or controlled by entities
headquartered or subject to jurisdiction of the
People's Republic of China.
(b) Recall Authority.--
(1) In general.--Subject to paragraph (3), not later than
18 months after the date of enactment of this Act, the
Secretary shall issue for all covered devices that are
determined pursuant to the review under subsection (a) to pose
a cybersecurity risk an order requiring the appropriate person
(including the manufacturers, importers, distributors, or
retailers of the covered device)--
(A) to immediately cease distribution of such
covered device;
(B) to immediately notify health professionals and
device user facilities of the order and to instruct
such professionals and facilities to cease use of such
covered device; and
(C) to notify all individuals subject to the risks
associated with the use of such covered device.
(2) Recall in cases of failure to provide information.--
Subject to paragraph (3), for any covered device for which the
covered manufacturer fails to submit the information requested
under subsection (a)(2)(A) by the date that is 180 days after
the date on which such covered manufacturer received such
request, the Secretary shall issue for such covered device an
order requiring the appropriate person (including the
manufacturers, importers, distributors, or retailers of the
covered device)--
(A) to immediately cease distribution of such
covered device;
(B) to immediately notify health professionals and
device user facilities of the order and to instruct
such professionals and facilities to cease use of such
covered device; and
(C) to notify all individuals subject to the risks
associated with the use of such covered device.
(3) Exemption.--The Secretary may exempt from an order
under paragraph (1) or (2) a covered device for which a recall
would, as determined by the Secretary, create a shortage that
would pose a danger to patient health.
(c) Report.--Not later than 2 years after the date of enactment of
this Act, the Secretary, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, shall submit to the
Committee on Health, Education, Labor, and Pensions and the Committee
on Homeland Security and Governmental Affairs of the Senate and the
Committee on Energy and Commerce and the Committee on Homeland Security
of the House of Representatives a report that includes--
(1) a description of the cyber preparedness and data
security of the device industry in the United States;
(2) an analysis of the market share of devices used in the
United States of manufacturers headquartered in the People's
Republic of China;
(3) an analysis of data security requirements and
protections of devices used in the United States of
manufacturers headquartered in or subject to the jurisdiction
of the People's Republic of China; and
(4) recommendations for methods to bolster the cyber
preparedness of the device industry in the United States.
(d) Definitions.--In this section:
(1) Covered device.--The term ``covered device'' means a
networked device that was manufactured by a covered
manufacturer and was cleared, authorized, approved, or exempted
under section 510(k), 513(f)(2), 515, or 520(m) of the Federal
Food, Drug, and Cosmetic Act (21 U.S.C. 360(k), 360c(f)(2),
360e, 360j(m)) on or before March 28, 2023.
(2) Covered manufacturer.--
(A) In general.--The term ``covered manufacturer''
means a manufacturer--
(i) headquartered in the People's Republic
of China; or
(ii) that is owned or controlled by--
(I) the People's Republic of China;
or
(II) 1 or more individuals or
entities of the People's Republic of
China.
(B) Exclusion.--The term ``covered manufacturer''
does not include a manufacturer that has operations,
subsidiaries, or publicly traded securities in the
People's Republic of China if such manufacturer is not
otherwise a manufacturer described in subparagraph (A).
(3) Cybersecurity risk.--The term ``cybersecurity risk''
means threats to and vulnerabilities of information or
information systems and any related consequences caused by or
resulting from unauthorized access, use, disclosure,
degradation, disruption, modification, or destruction of such
information or information systems, including such related
consequences caused by an act of terrorism.
(4) Networked.--The term ``networked'', with respect to a
device, means that the device includes software that has the
ability to connect to the internet.
<all>