Bill Sponsor
House Bill 7084
117th Congress(2021-2022)
PATCH Act of 2022
Introduced
Introduced
Introduced in House on Mar 15, 2022
Overview
Text
Introduced in House 
Mar 15, 2022
No Linkage Found
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
Introduced in House(Mar 15, 2022)
Mar 15, 2022
No Linkage Found
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
H. R. 7084 (Introduced-in-House)


117th CONGRESS
2d Session
H. R. 7084


To amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.


IN THE HOUSE OF REPRESENTATIVES

March 15, 2022

Mr. Burgess introduced the following bill; which was referred to the Committee on Energy and Commerce


A BILL

To amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Protecting and Transforming Cyber Health Care Act of 2022” or the “PATCH Act of 2022”.

SEC. 2. Ensuring cybersecurity of medical devices.

(a) In general.—Subchapter A of chapter V of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351 et seq.) is amended by adding at the end the following:

“SEC. 524B. Ensuring cybersecurity of devices.

“(a) In general.—For purposes of ensuring cybersecurity throughout the lifecycle of a cyber device, any person who submits a premarket submission for the cyber device shall include such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness, including at a minimum the cybersecurity requirements under subsection (b). The Secretary may establish exemptions to the requirements under this subsection.

“(b) Cybersecurity requirements.—At a minimum, the manufacturer of a cyber device shall meet the following cybersecurity requirements:

“(1) The manufacturer shall have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits.

“(2) The manufacturer shall—

“(A) have a plan and procedures for a Coordinated Vulnerability Disclosure to be part of submissions to the Food and Drug Administration; and

“(B) collect and maintain such other information as the Secretary may (by order published in the Federal Register or by other process) require to demonstrate a reasonable assurance of the safety and effectiveness of the cyber device.

“(3) The manufacturer shall design, develop, and maintain processes and procedures to make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device to address—

“(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

“(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.

“(4) The manufacturer shall furnish to the Secretary a software bill of materials, including commercial, open-sourced, and off-the-shelf software components that will be provided to users.

“(c) Substantial equivalence.—In making a determination of substantial equivalence under section 513(i) for a cyber device, the Secretary may—

“(1) find that cybersecurity information for the cyber device described in the relevant premarket submission in the cyber device’s use environment is inadequate; and

“(2) issue a nonsubstantial equivalence determination based on this finding.

“(d) Definition.—In this section:

“(1) The term ‘cyber device’ means a device that—

“(A) includes software; or

“(B) is intended to connect to the internet.

“(2) The term ‘lifecycle of the cyber device’ includes the postmarket lifecycle of the cyber device.

“(3) The term ‘premarket submission’ means any submission under section 510(k), 513, 515(c), 515(f), or 520(m).”.

(b) Prohibited act.—Section 301(q) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 331(q)) is amended by adding at the end the following:

“(3) The failure to comply with any requirement under section 524B (relating to ensuring the cybersecurity).”.

(c) Adulteration.—Section 501 of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351) is amended by inserting after paragraph (j) the following:

“(k) If it is a device with respect to which the sponsor is in violation of section 524B (relating to ensuring cybersecurity).”.

(d) Misbranding.—Section 502(t) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 352(t)) is amended—

(1) by striking “or (3)” and inserting “(3)”; and

(2) by inserting before the period at the end the following: “, or (4) to furnish a software bill of materials as required under section 524B (relating to ensuring the cybersecurity)”.