<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="billres.xsl"?>
<!DOCTYPE bill PUBLIC "-//US Congress//DTDs/bill.dtd//EN" "bill.dtd">
<bill bill-stage="Introduced-in-Senate" dms-id="A1" public-private="public" slc-id="S1-KEN26388-7TN-H4-71M">
<metadata xmlns:dc="http://purl.org/dc/elements/1.1/">
<dublinCore>
<dc:title>119 S4939 IS: Countering Chinese Cyberthreats for Patients Act</dc:title>
<dc:publisher>U.S. Senate</dc:publisher>
<dc:date>2026-06-24</dc:date>
<dc:format>text/xml</dc:format>
<dc:language>EN</dc:language>
<dc:rights>Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.</dc:rights>
</dublinCore>
</metadata>
<form>
<distribution-code display="yes">II</distribution-code>
<congress>119th CONGRESS</congress><session>2d Session</session>
<legis-num>S. 4939</legis-num>
<current-chamber>IN THE SENATE OF THE UNITED STATES</current-chamber>
<action>
<action-date date="20260624">June 24, 2026</action-date>
<action-desc><sponsor name-id="S374">Mr. Cotton</sponsor> introduced the following bill; which was read twice and referred to the <committee-name committee-id="SSHR00">Committee on Health, Education, Labor, and Pensions</committee-name></action-desc>
</action>
<legis-type>A BILL</legis-type>
<official-title>To require the Secretary of Health and Human Services to review certain medical devices manufactured in the People's Republic of China for potential cybersecurity issues, and for other purposes.</official-title>
</form>
<legis-body id="H262984DD32E245D3AD5C4B46497C9E14">
<section id="S1" section-type="section-one"><enum>1.</enum><header>Short title</header><text display-inline="no-display-inline">This Act may be cited as the <quote><short-title>Countering Chinese Cyberthreats for Patients Act</short-title></quote> or the <quote><short-title>Countering CCP Act</short-title></quote>.</text></section> <section id="idf7c1bc24809944678e4935292682042e"><enum>2.</enum><header>Review and recall of certain medical devices manufactured in the People's Republic of China</header> <subsection commented="no" display-inline="no-display-inline" id="iddf6cbf8342564fffaef8134f92f65210"><enum>(a)</enum><header display-inline="yes-display-inline">Review of certain devices</header> <paragraph commented="no" display-inline="no-display-inline" id="iddf6aba52502d49cb97a47634b5714217"><enum>(1)</enum><header display-inline="yes-display-inline">In general</header><text>The Secretary of Health and Human Services, acting through the Commissioner of Food and Drugs (referred to in this section as the <term>Secretary</term>), in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall review each covered device for potential cybersecurity issues.</text></paragraph>
<paragraph id="id1b73356d8db54f7ab477143d4e2c67e9"><enum>(2)</enum><header>Request for information</header>
<subparagraph commented="no" display-inline="no-display-inline" id="id09e40e9cd6a14a60be27a056459a4460"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">Not later than 180 days after the date of enactment of this Act, the Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall request from each covered manufacturer of a covered device such information as is necessary to conduct the review under paragraph (1), including—</text> <clause commented="no" display-inline="no-display-inline" id="idf9dec45abe4f434ea9aae64c517add13"><enum>(i)</enum><text display-inline="yes-display-inline">a software bill of materials for the covered device, including commercial, open-source, and off-the-shelf software components, and data mapping and architecture documentation;</text></clause>
<clause commented="no" display-inline="no-display-inline" id="id0ab3dff3ec7b48a1bac9ca806cfc056a"><enum>(ii)</enum><text display-inline="yes-display-inline">locations of entities, information systems, and servers holding patient data; and</text></clause> <clause commented="no" display-inline="no-display-inline" id="idf4e7cf383e6b4608a73c6e657688aa0b"><enum>(iii)</enum><text>any other information the Secretary determines necessary.</text></clause></subparagraph>
<subparagraph commented="no" display-inline="no-display-inline" id="idfc6e9b97826846b2a1f2b4e1264b780f"><enum>(B)</enum><header>Requirements</header><text>In determining the form and scope of information to request under subparagraph (A), the Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall analyze covered devices and seek information, including information on any processes and procedures of the covered manufacturer, that, as determined by Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency—</text> <clause commented="no" display-inline="no-display-inline" id="id510999fbb91a4c5a9398d451d3909647"><enum>(i)</enum><text>would provide a reasonable assurance that the covered device and related systems are and will remain cybersecure; and</text></clause>
<clause id="idaeb72b7f50164fada0e7cef221265cff"><enum>(ii)</enum><text>would provide a reasonable assurance that patient data would not be stored or transferred through systems or servers located in, owned, or controlled by entities headquartered or subject to jurisdiction of the People’s Republic of China.</text></clause></subparagraph></paragraph></subsection> <subsection id="idfb7eabc9efc241939527b93e9f4ac2b3"><enum>(b)</enum><header>Recall authority</header> <paragraph commented="no" display-inline="no-display-inline" id="idb9ae32549f684711ae4eaf384032dac1"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Subject to paragraph (3), not later than 18 months after the date of enactment of this Act, the Secretary shall issue for all covered devices that are determined pursuant to the review under subsection (a) to pose a cybersecurity risk an order requiring the appropriate person (including the manufacturers, importers, distributors, or retailers of the covered device)—</text>
<subparagraph commented="no" display-inline="no-display-inline" id="idfdbc884bb58d4bf6bcf421e5775fd2cc"><enum>(A)</enum><text display-inline="yes-display-inline">to immediately cease distribution of such covered device;</text></subparagraph> <subparagraph commented="no" display-inline="no-display-inline" id="id3c4bb404e2574c2b92d27237b131a3c8"><enum>(B)</enum><text display-inline="yes-display-inline">to immediately notify health professionals and device user facilities of the order and to instruct such professionals and facilities to cease use of such covered device; and</text></subparagraph>
<subparagraph commented="no" display-inline="no-display-inline" id="id812e8a322bb145de9eafa7f85b8bc36c"><enum>(C)</enum><text>to notify all individuals subject to the risks associated with the use of such covered device.</text></subparagraph></paragraph> <paragraph id="idfb7b19d3619a42da80a4b093782c42d1"><enum>(2)</enum><header>Recall in cases of failure to provide information</header><text>Subject to paragraph (3), for any covered device for which the covered manufacturer fails to submit the information requested under subsection (a)(2)(A) by the date that is 180 days after the date on which such covered manufacturer received such request, the Secretary shall issue for such covered device an order requiring the appropriate person (including the manufacturers, importers, distributors, or retailers of the covered device)—</text>
<subparagraph commented="no" display-inline="no-display-inline" id="id26ad68532305424dbc954da60ca6a37d"><enum>(A)</enum><text display-inline="yes-display-inline">to immediately cease distribution of such covered device;</text></subparagraph> <subparagraph id="id68fa926b1b0c488b8c44c8067153a2bc" commented="no" display-inline="no-display-inline"><enum>(B)</enum><text display-inline="yes-display-inline">to immediately notify health professionals and device user facilities of the order and to instruct such professionals and facilities to cease use of such covered device; and</text></subparagraph>
<subparagraph commented="no" display-inline="no-display-inline" id="id5acd14c91fcf47b381969fbf1872c094"><enum>(C)</enum><text>to notify all individuals subject to the risks associated with the use of such covered device.</text></subparagraph></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="idd3003b01da1144d29e390c1f72c0a583"><enum>(3)</enum><header display-inline="yes-display-inline">Exemption</header><text>The Secretary may exempt from an order under paragraph (1) or (2) a covered device for which a recall would, as determined by the Secretary, create a shortage that would pose a danger to patient health.</text></paragraph></subsection>
<subsection id="id54a72c943cb746419558ca2b95cf6c16"><enum>(c)</enum><header>Report</header><text>Not later than 2 years after the date of enactment of this Act, the Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Energy and Commerce and the Committee on Homeland Security of the House of Representatives a report that includes—</text> <paragraph id="ida0321be98d0546cebf18dcba80f634cb"><enum>(1)</enum><text>a description of the cyber preparedness and data security of the device industry in the United States;</text></paragraph>
<paragraph id="id2c9c64b204d5494ab8fc7a4fab32453b"><enum>(2)</enum><text>an analysis of the market share of devices used in the United States of manufacturers headquartered in the People's Republic of China;</text></paragraph> <paragraph id="ida2654d186fa34e5399e61c47db198e7c"><enum>(3)</enum><text>an analysis of data security requirements and protections of devices used in the United States of manufacturers headquartered in or subject to the jurisdiction of the People’s Republic of China; and</text></paragraph>
<paragraph id="idee418ee0279f4220a7d6519a196727b9"><enum>(4)</enum><text>recommendations for methods to bolster the cyber preparedness of the device industry in the United States.</text></paragraph></subsection> <subsection commented="no" display-inline="no-display-inline" id="id59385715783d47d382434f8ab6f7044f"><enum>(d)</enum><header>Definitions</header><text>In this section:</text>
<paragraph commented="no" display-inline="no-display-inline" id="ida1d47f24f161467a9b56249c6e216b19"><enum>(1)</enum><header display-inline="yes-display-inline">Covered device</header><text>The term <term>covered device</term> means a networked device that was manufactured by a covered manufacturer and was cleared, authorized, approved, or exempted under section 510(k), 513(f)(2), 515, or 520(m) of the Federal Food, Drug, and Cosmetic Act (<external-xref legal-doc="usc" parsable-cite="usc/21/360">21 U.S.C. 360(k)</external-xref>, 360c(f)(2), 360e, 360j(m)) on or before March 28, 2023.</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="id9948d4e7e1f14985bb75a572cfaf2caf"><enum>(2)</enum><header>Covered manufacturer</header> <subparagraph commented="no" display-inline="no-display-inline" id="id4bc6297341804a6d9b56f746868f5c33"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">The term <term>covered manufacturer</term> means a manufacturer—</text>
<clause commented="no" display-inline="no-display-inline" id="id5fcbd24fd67e421c81d7e19104729879"><enum>(i)</enum><text display-inline="yes-display-inline">headquartered in the People's Republic of China; or</text></clause> <clause commented="no" display-inline="no-display-inline" id="id115d710ac93a44b594c477ef9bcb29f5"><enum>(ii)</enum><text display-inline="yes-display-inline">that is owned or controlled by—</text>
<subclause commented="no" display-inline="no-display-inline" id="id09b049c999684c58ab5a9dc043e65f4f"><enum>(I)</enum><text display-inline="yes-display-inline">the People’s Republic of China; or</text></subclause> <subclause commented="no" display-inline="no-display-inline" id="id704a3440fca2494ab4e23825f1ad2aa2"><enum>(II)</enum><text display-inline="yes-display-inline">1 or more individuals or entities of the People’s Republic of China.</text></subclause></clause></subparagraph>
<subparagraph commented="no" display-inline="no-display-inline" id="idd56ec7f67c1e4e6d90441ed9bdefc93e"><enum>(B)</enum><header>Exclusion</header><text display-inline="yes-display-inline">The term <term>covered manufacturer</term> does not include a manufacturer that has operations, subsidiaries, or publicly traded securities in the People’s Republic of China if such manufacturer is not otherwise a manufacturer described in subparagraph (A).</text></subparagraph></paragraph> <paragraph id="id49a8fb5abe984ab4b5f7f6a4f19bb710"><enum>(3)</enum><header>Cybersecurity risk</header><text>The term <term>cybersecurity risk</term> means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism.</text></paragraph>
<paragraph commented="no" display-inline="no-display-inline" id="id98f0b002c33b4b759cb6d9e66b41f486"><enum>(4)</enum><header>Networked</header><text>The term <term>networked</term>, with respect to a device, means that the device includes software that has the ability to connect to the internet.</text></paragraph></subsection></section> </legis-body> </bill> 

