
Full profile: /officials/C001095
Source: Congress.gov · FEC
Members who have signed on to support this bill since introduction. Source: Congress.gov.
No cosponsors on record. Bills can pass without cosponsors — this often means the sponsor introduced the bill alone, either because it's a messaging bill, a chairman's mark, or simply early in the legislative cycle.
The most recent step in the bill's legislative path. Committee Activity below shows referrals and reports; the full action-by-action history including floor proceedings lives at Congress.gov →
Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
2026-06-24
Source: Congress.gov
Currently in
The federal government would be required to examine medical devices made in China to identify potential cybersecurity weaknesses that could allow hackers to access or interfere with them. This review would help protect patients who rely on these devices by catching security problems before they cause harm. The measure affects medical device manufacturers, healthcare providers, and patients who use imported medical equipment.
AI-assisted summary generated from the official bill metadata (title, subjects, actions) sourced from Congress.gov. Cached and reviewed. Always verify against the official text linked below.
Verbatim text published on Congress.gov via GovInfo. Use Cmd+F / Ctrl+F to search within this excerpt.
[Congressional Bills 119th Congress] [From the U.S. Government Publishing Office] [S. 4939 Introduced in Senate (IS)] <DOC> 119th CONGRESS 2d Session S. 4939 To require the Secretary of Health and Human Services to review certain medical devices manufactured in the People's Republic of China for potential cybersecurity issues, and for other purposes. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES June 24, 2026 Mr. Cotton introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions _______________________________________________________________________ A BILL To require the Secretary of Health and Human Services to review certain medical devices manufactured in the People's Republic of China for potential cybersecurity issues, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Countering Chinese Cyberthreats for Patients Act'' or the ``Countering CCP Act''. SEC. 2. REVIEW AND RECALL OF CERTAIN MEDICAL DEVICES MANUFACTURED IN THE PEOPLE'S REPUBLIC OF CHINA. (a) Review of Certain Devices.-- (1) In general.--The Secretary of Health and Human Services, acting through the Commissioner of Food and Drugs (referred to in this section as the ``Secretary''), in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall review each covered device for potential cybersecurity issues. (2) Request for information.-- (A) In general.--Not later than 180 days after the date of enactment of this Act, the Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall request from each covered manufacturer of a covered device such information as is necessary to conduct the review under paragraph (1), including-- (i) a software bill of materials for the covered device, including commercial, open- source, and off-the-shelf software components, and data mapping and architecture documentation; (ii) locations of entities, information systems, and servers holding patient data; and (iii) any other information the Secretary determines necessary. (B) Requirements.--In determining the form and scope of information to request under subparagraph (A), the Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall analyze covered devices and seek information, including information on any processes and procedures of the covered manufacturer, that, as determined by Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency-- (i) would provide a reasonable assurance that the covered device and related systems are and will remain cybersecure; and (ii) would provide a reasonable assurance that patient data would not be stored or transferred through systems or servers located in, owned, or controlled by entities headquartered or subject to jurisdiction of the People's Republic of China. (b) Recall Authority.-- (1) In general.--Subject to paragraph (3), not later than 18 months after the date of enactment of this Act, the Secretary shall issue for all covered devices that are determined pursuant to the review under subsection (a) to pose a cybersecurity risk an order requiring the appropriate person (including the manufacturers, importers, distributors, or retailers of the covered device)-- (A) to immediately cease distribution of such covered device; (B) to immediately notify health professionals and device user facilities of the order and to instruct such professionals and facilities to cease use of such covered device; and (C) to notify all individuals subject to the risks associated with the use of such covered device. (2) Recall in cases of failure to provide information.-- Subject to paragraph (3), for any covered device for which the covered manufacturer fails to submit the information requested under subsection (a)(2)(A) by the date that is 180 days after the date…
on which such covered manufacturer received such request, the Secretary shall issue for such covered device an order requiring the appropriate person (including the manufacturers, importers, distributors, or retailers of the covered device)-- (A) to immediately cease distribution of such covered device; (B) to immediately notify health professionals and device user facilities of the order and to instruct such professionals and facilities to cease use of such covered device; and (C) to notify all individuals subject to the risks associated with the use of such covered device. (3) Exemption.--The Secretary may exempt from an order under paragraph (1) or (2) a covered device for which a recall would, as determined by the Secretary, create a shortage that would pose a danger to patient health. (c) Report.--Not later than 2 years after the date of enactment of this Act, the Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Energy and Commerce and the Committee on Homeland Security of the House of Representatives a report that includes-- (1) a description of the cyber preparedness and data security of the device industry in the United States; (2) an analysis of the market share of devices used in the United States of manufacturers headquartered in the People's Republic of China; (3) an analysis of data security requirements and protections of devices used in the United States of manufacturers headquartered in or subject to the jurisdiction of the People's Republic of China; and (4) recommendations for methods to bolster the cyber preparedness of the device industry in the United States. (d) Definitions.--In this section: (1) Covered device.--The term ``covered device'' means a networked device that was manufactured by a covered manufacturer and was cleared, authorized, approved, or exempted under section 510(k), 513(f)(2), 515, or 520(m) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 360(k), 360c(f)(2), 360e, 360j(m)) on or before March 28, 2023. (2) Covered manufacturer.-- (A) In general.--The term ``covered manufacturer'' means a manufacturer-- (i) headquartered in the People's Republic of China; or (ii) that is owned or controlled by-- (I) the People's Republic of China; or (II) 1 or more individuals or entities of the People's Republic of China. (B) Exclusion.--The term ``covered manufacturer'' does not include a manufacturer that has operations, subsidiaries, or publicly traded securities in the People's Republic of China if such manufacturer is not otherwise a manufacturer described in subparagraph (A). (3) Cybersecurity risk.--The term ``cybersecurity risk'' means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism. (4) Networked.--The term ``networked'', with respect to a device, means that the device includes software that has the ability to connect to the internet. <all>
Bills by the same sponsor or covering overlapping subjects.