skip to main content

S. 3983: PATCH Act


The text of the bill below is as of Mar 31, 2022 (Introduced).


II

117th CONGRESS

2d Session

S. 3983

IN THE SENATE OF THE UNITED STATES

March 31, 2022

(for himself and Ms. Baldwin) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions

A BILL

To amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.

1.

Short title

This Act may be cited as the PATCH Act.

2.

Ensuring cybersecurity of medical devices

(a)

In general

Subchapter A of chapter V of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351 et seq.) is amended by adding at the end the following:

524B.

Ensuring cybersecurity of devices

(a)

In general

For purposes of ensuring cybersecurity throughout the lifecycle of a cyber device, any person who submits a premarket submission for the cyber device shall include such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness, including at a minimum the cybersecurity requirements under subsection (b). The Secretary may establish exemptions to the requirements under this subsection.

(b)

Cybersecurity requirements

At a minimum, the manufacturer of a cyber device shall meet the following cybersecurity requirements:

(1)

The manufacturer shall have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits.

(2)

The manufacturer shall—

(A)

have a plan and procedures for a Coordinated Vulnerability Disclosure to be part of submissions to the Food and Drug Administration; and

(B)

collect and maintain such other information as the Secretary may (by order published in the Federal Register or by other process) require to demonstrate a reasonable assurance of the safety and effectiveness of the cyber device.

(3)

The manufacturer shall design, develop, and maintain processes and procedures to make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device to address—

(A)

on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

(B)

as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.

(4)

The manufacturer shall furnish to the Secretary a software bill of materials, including commercial, open-sourced, and off-the-shelf software components that will be provided to users.

(c)

Substantial equivalence

In making a determination of substantial equivalence under section 513(i) for a cyber device, the Secretary may—

(1)

find that cybersecurity information for the cyber device described in the relevant premarket submission in the cyber device’s use environment is inadequate; and

(2)

issue a nonsubstantial equivalence determination based on this finding.

(d)

Definition

In this section:

(1)

The term cyber device means a device that—

(A)

includes software; or

(B)

is intended to connect to the internet.

(2)

The term lifecycle of the cyber device includes the postmarket lifecycle of the cyber device.

(3)

The term premarket submission means any submission under section 510(k), 513, 515(c), 515(f), or 520(m).

.

(b)

Prohibited act

Section 301(q) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 331(q)) is amended by adding at the end the following:

(3)

The failure to comply with any requirement under section 524B (relating to ensuring the cybersecurity).

.

(c)

Adulteration

Section 501 of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351) is amended by adding at the end the following:

(k)

If it is a device with respect to which the sponsor is in violation of section 524B (relating to ensuring cybersecurity).

.

(d)

Misbranding

Section 502(t) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 352(t)) is amended—

(1)

by striking or (3) and inserting (3); and

(2)

by inserting before the period at the end the following: , or (4) to furnish a software bill of materials as required under section 524B (relating to ensuring the cybersecurity).