Senator · R-AR
The bill strengthens medical‑device cybersecurity and transparency to protect patients and national security but creates a trade‑off with possible near‑term device shortages, higher costs, and gaps where some vulnerable manufacturers may remain outside review.
Hospitals and patients will have fewer insecure networked medical devices in use because HHS/FDA are required to identify and remove devices that pose cybersecurity risks.
Patients and health systems will get clearer information about where patient data are stored and what software components devices use because manufacturers must provide data locations and a software bill of materials within 180 days.
Taxpayers and health systems may face reduced national cyber risk over time because the bill requires analysis of higher‑risk foreign (PRC‑headquartered) manufacturers' market share and data‑security protections to inform policy actions.
Patients and hospitals could experience delays in care if immediate cessation orders remove devices and suitable substitutes are not available, creating dangerous device shortages.
Manufacturers (including U.S. subsidiaries) and health systems may face significant compliance costs and market disruption from rapid information requests and potential bans, which could raise device prices or reduce supply.
Hospitals and patients may remain exposed because excluding some manufacturers with PRC operations or certain public‑market structures could leave vulnerable devices unreviewed, limiting the law's protective reach.
Based on analysis of 2 sections of legislative text.
Directs FDA (with CISA) to review and, if necessary, halt distribution of networked medical devices tied to PRC-headquartered or PRC-controlled manufacturers for cybersecurity risks, and to report findings to Congress.
Official title: Require the Secretary of Health and Human Services to review certain medical devices manufactured in the People's Republic of China for potential cybersecurity issues, and for other purposes.
Introduced June 24, 2026 by Thomas Bryant Cotton · Last progress June 24, 2026
Requires HHS (through the FDA and consulting CISA) to review networked medical devices made by manufacturers headquartered in or controlled by the People’s Republic of China for cybersecurity risks. The agency must request device information within 180 days, may order halting distribution within 18 months if a device poses a cybersecurity risk or the manufacturer fails to comply, and must report to Congress within two years with an analysis and recommendations. Defines which devices and manufacturers are covered, allows limited exemptions if recalls would create dangerous shortages, and directs specific data collection (including a software bill of materials and data location details) to evaluate cyber preparedness and data-security protections for covered devices.