Sen. Tom Cotton (R-Ark.) has introduced a bill that would subject Chinese-made medical devices already cleared for U.S. use to cybersecurity checks.
The legislation, called the Countering Chinese Cyberthreats for Patients Act, or Countering CCP Act, would give federal health regulators the flexibility to retroactively enforce cybersecurity measures. It is aimed at cracking down on “dangerous devices,” Cotton said.
“Communist Chinese-made medical devices threaten the privacy and safety of every American patient,” Cotton said in a statement on June 25.
The bill would direct the Department of Health and Human Services to identify any potential cybersecurity vulnerabilities in internet-connected medical devices made in China. The Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency would also join the review process.
The legislation targets medical devices produced by companies headquartered in China, or controlled by individuals and entities in China, that received U.S. regulatory approval before March 28, 2023. Foreign companies with factories or subsidiaries in China would not be subject to the review.
Since March 2023, the FDA has required medical device manufacturers to meet additional cybersecurity standards to obtain pre-market approval.
“But this requirement did not extend to medical devices on the market prior to the enactment of the enhanced cybersecurity requirements,” Cotton wrote in a May letter to acting FDA commissioner Kyle Diamantas. “Thus, more must be done to protect Americans from compromised medical devices.”
If enacted, the bill would compel Chinese medical device manufacturers to submit technical information, including a list of the software used in the device, their development process, and server locations.
With detailed information, federal regulators would be required to determine whether these medical devices are sufficiently secure against cyber threats and ensure that U.S. patient data is not stored or transmitted through servers based in China.
Chinese laws and regulations, including the regime’s 2017 intelligence legislation, mandate companies operating in the country hand over data or provide other assistance to intelligence agencies upon request.
The proposed legislative measures would give Health and Human Services the authority to stop the distribution of devices deemed risky to security and notify healthcare providers, device users, and all individuals potentially exposed to such risks.
Chinese companies failing to provide the required information within three months would also see their products being recalled in the U.S. market.
In addition, the U.S. government would be required to submit a report to Congress on the cybersecurity assessment of the medical equipment industry, Chinese companies’ share of the U.S. market, and data security measures for made-in-China devices, along with recommendations on how to bolster the industry’s cyber preparedness.
The legislative proposal was made as attention heightens over vulnerabilities in internet-enabled medical and other equipment, especially products from manufacturers based in foreign adversaries.
Last January, the FDA warned that certain devices by Chinese patient-monitor maker Contec contained a backdoor that could allow remote access, manipulate the device, and transmit patients’ data once connected to the internet.
In response, the FDA recalled Contec’s CMS8000 patient-monitor device, as well as Epsimed MN-120, the same device, which was relabeled and distributed in the U.S. market by Miami-based Epsimed.
In a July 2025 update, the FDA said Contec released a software patch to fix the cybersecurity flaws, which the agency assessed removed networking functionality from the affected devices.
