skip to main content

S. 1656 (115th): Medical Device Cybersecurity Act of 2017

We don’t have a summary available yet.

The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress, and was published on Jul 27, 2017.

Medical Device Cybersecurity Act of 2017

This bill amends the Federal Food, Drug, and Cosmetic Act to require the Food and Drug Administration (FDA), in coordination with others, to create a cybersecurity report card for devices that have network or Internet connectivity, connect to an external drive or external media, or have any other cyber capability.

Report cards must contain specified information, including: (1) information pertaining to the essential elements described in the most recent version of the Manufacturer Disclosure Statement for Medical Device Security, (2) a cybersecurity risk assessment conducted by the manufacturer or third party, and (3) whether the device is capable of being accessed remotely.

A cyber device manufacturer must include a report card in any premarket notification or application for premarket approval. The FDA shall provide a copy of a device's report card if requested by a health care industry entity or an entity with a valid interest in the report card. 

The bill establishes procedures, including notifications to providers and patients, for manufacturers when cyber devices are remotely accessed or no longer going to be sold. Fixes and updates to cyber devices must be free of charge for specified time periods.

The bill expands the responsibilities of the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team to include investigating cybersecurity vulnerabilities of cyber devices that may cause harm to human life or the significant misuse of personal health information, and coordinating device-specific responses.