Sec. 3305. Ensuring cybersecurity of medical devices
798 words·~4 min read·
/bill/117/hr/2617/unknown/section-3305·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Subchapter A of chapter V of the Federal Food, Drug, and Cosmetic Act ( 21 U.S.C. 351 et seq. ) is amended by adding at the end the following: A person who submits an application or submission under section 510(k), 513, 515(c), 515(f), or 520(m) for a device that meets the definition of a cyber device under this section shall include such information as the Secretary may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b). The sponsor of an application or submission described in subsection
(a)shall— submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures; design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address— on a reasonably justified regular cycle, known unacceptable vulnerabilities; and as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks; provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure. In this section, the term cyber device means a device that— includes software validated, installed, or authorized by the sponsor as a device or in a device; has the ability to connect to the internet; and contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats. The Secretary may identify devices, or categories or types of devices, that are exempt from meeting the cybersecurity requirements established by this section and regulations promulgated pursuant to this section. The Secretary shall publish in the Federal Register, and update, as appropriate, a list of the devices, or categories or types of devices, so identified by the Secretary. . Section 301(q) of the Federal Food, Drug, and Cosmetic Act ( 21 U.S.C. 331(q) ) is amended by adding at the end the following: The failure to comply with any requirement under section 524B(b)(2) (relating to ensuring device cybersecurity). . Nothing in this section, including the amendments made by this section, shall be construed to affect the Secretary’s authority related to ensuring that there is a reasonable assurance of the safety and effectiveness of devices, which may include ensuring that there is a reasonable assurance of the cybersecurity of certain cyber devices, including for devices approved or cleared prior to the date of enactment of this Act. The amendments made by subsections
(a)and
(b)shall take effect 90 days after the date of enactment of this Act. An application or submission submitted before such effective date shall not be subject to the requirements under subsection
(a)or
(b)of section 524B of the Federal Food, Drug, and Cosmetic Act, as added by this section. Not later than 2 years after the date of enactment of this Act, and periodically thereafter as appropriate, the Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall review and, as appropriate and after soliciting and receiving feedback from device manufacturers, health care providers, third-party-device servicers, patient advocates, and other appropriate stakeholders, update the guidance entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (or a successor document). Not later than 180 days after the date of enactment of this Act, and not less than annually thereafter, the Secretary shall update public information provided by the Food and Drug Administration, including on the website of the Food and Drug Administration, with information regarding improving cybersecurity of devices. Such information shall include information on identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers, and how such entities may access support through the Cybersecurity and Infrastructure Security Agency and other Federal entities, including the Department of Health and Human Services, to improve the cybersecurity of devices. Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall publish a report identifying challenges in cybersecurity for devices, including legacy devices that may not support certain software security updates. Through such report, the Comptroller General shall examine— challenges for device manufacturers, health care providers, health systems, and patients in accessing Federal support to address vulnerabilities across Federal agencies; how Federal agencies can strengthen coordination to better support cybersecurity for devices; and statutory limitations and opportunities for improving cybersecurity for devices. In this section, the term device has the meaning given such term in section 201(h) of the Federal Food, Drug, and Cosmetic Act ( 21 U.S.C. 321(h) ).
Connectionstraces to 3
Traces to 3 documents
Citation graph
cites case law
Cites 3Cited by 0 across 0 sources