New proposed legislation focuses on security risks in Chinese-made medical devices
In June, Senator Tom Cotton (R-Arkansas) introduced legislation that aims to address cybersecurity risks associated with medical devices made in China. The announcement of the bill comes shortly after Sen. Cotton sent a letter to Kyle Diamantas, acting commissioner of the Food and Drug Administration (FDA), urging the agency, along with the Cybersecurity and Infrastructure Security Agency (CISA), “to review Chinese-made medical devices cleared prior to March 29, 2023.”
If passed, the Countering Chinese Cyberthreats for Patients (Countering CCP) Act would direct the FBI and CISA to review these legacy devices. The FDA would recall any devices deemed to pose cybersecurity risks to patients. The legislation also calls up CISA and the Department of Health and Human Services (HHS) to deliver to Congress a report on the market share of Chinese-made medical devices in the U.S., the U.S. medical device industry’s cyber readiness and ways to improve that readiness.
Chinese-manufactured medical devices and cybersecurity risk
Last year, CISA and the FDA flagged cybersecurity vulnerabilities in Contec CMS8000, a device used to monitor patients’ vitals. These devices contain a backdoor that “enables patient data spillage,” according to the CISA fact sheet. Sen. Cotton warned that this kind of data leakage could expose patients to identify theft, fraud and scams in his letter to FDA Acting Commissioner Diamantas.
In 2023, the FDA began requiring medical device manufacturers to include a software bill of materials (SBOM) with regulatory submissions for medical devices that have software and connect to the internet. SBOMs are meant to enable tracking of all components and software included in medical devices, both from the manufacturer and third parties. Sen. Cotton’s legislation focuses on reviewing legacy devices, those made prior to those cybersecurity requirements.
Cybersecurity threats associated with People’s Republic of China cyber actors are a known risk. In 2024, Christopher Wray, director of the FBI at the time, spoke before the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. Wray warned of China’s attempts to preposition itself within U.S. critical infrastructure: “setting up back doors to cripple vital assets and systems in the event China invades Taiwan.” Health care is one of 16 critical infrastructure sectors.
Barriers to implementation
The Countering CCP Act outlines steps for addressing potential risk in Chinese-manufactured medical devices, but if the legislation passes, there are barriers to implementation to consider.
The health care supply chain is incredibly complex. Finding and assessing the risks associated with these legacy devices, which are made up of various hardware and software components, would be a significant undertaking.
“The challenge is there are tens of thousands of these Chinese-manufactured devices that are already embedded within the hospital network,” Alison King, vice president of government affairs at Forescout, told Digital Health Insights.
Risk assessment will not be as simple as identifying any and all medical devices manufactured in China.
“You’re going to want to have an understanding of how these devices are behaving, not just, ‘Hey, I think this pacemaker or pump is going to be suspect because it has “Made in China” on the box,” King explained.
When risk is identified, issuing a recall is going to come with its own set of challenges. If these devices are embedded in healthcare providers’ ecosystems and in patients’ bodies, the answer is not as simple as “unplug everything.”
“There’s no federal framework for managing this transition of an existing install base. There are no coordinated replacement timelines. The funding mechanism’s not there, the clinical continuity guidance,” King said. “All of that has to be developed.”
HHS and CISA would play key roles in the Countering CCP Act. Both face proposed budget cuts in fiscal year 2027. The proposed budget would decrease funding for HHS by $15.8 billion and decrease funding for CISA by $707 million.
Managing medical device cyber risk
Health system leaders will have to watch how regulators and lawmakers at the federal and state level act. The Countering CCP Act was introduced at the federal level, and states are also taking a look at medical devices and cybersecurity risk. For example, Governor Greg Abbott directed Texas state agencies and state-owned medical facilities to review their cybersecurity and procurement policies in relation to Chinese-manufactured medical equipment.
Cybersecurity risks posed by Chinese-manufactured devices are on the radar of other federal agencies. The Federal Communications Commission (FCC) recently acted to ban Chinese equipment manufactured by three Chinese telecommunications firms and associated with cybersecurity risks, according to the Foundation for Defense of Democracies. The FCC has a Covered List that includes “communications equipment and services that are deemed to pose an unacceptable risk to the national security of the U.S. or the safety and security of U.S. persons.”
The FCC and FDA share oversight of wireless medical devices. As scrutiny of Chinese-manufactured devices grows, the FCC could act, according to King.
“If network medical devices from covered manufacturers were added, it could trigger the procurement restrictions,” she said.
Carrie Pallardy, a Chicago-based freelance writer and editor, began her career covering healthcare more than a decade ago. Her work has taken into many different industries, but covering healthcare delivery remains a constant focus. She can be reached at [email protected] or on LinkedIn.