Congress Just Advanced a Healthcare Cybersecurity Bill. What It Means for Medical Device Companies.
The Health Care Cybersecurity and Resiliency Act just cleared the Senate HELP Committee. For medical device manufacturers, this is not a drill.
The Senate Health, Education, Labor, and Pensions Committee advanced S.3315, the Health Care Cybersecurity and Resiliency Act, last month. ITIF published a full endorsement yesterday calling it a step toward making healthcare cybersecurity a federal mandate. And this is happening against a backdrop of Stryker getting hit by a nation-state wiper attack, a second Iran-linked attack on a US medical institution last week, and a University of Mississippi Medical Center ransomware incident that shut down seven hospitals in February.
If you are a medical device manufacturer, you need to read this one carefully. Because this bill, if it passes, raises the mandatory floor across the entire health sector.
What S.3315 Actually Does
The bill has three core components that matter for device companies:
1. Mandatory cybersecurity standards for the health sector. The bill requires HHS to update HIPAA regulations to mandate modern security controls: encryption, multi-factor authentication, and penetration testing. These would apply to covered entities and business associates. That means hospitals and health systems you connect to, distribute through, or partner with are going to have significantly stricter requirements.
2. HHS-CISA coordination. The bill establishes formal coordination between HHS and CISA to improve cybersecurity across healthcare. This is substantive. CISA's threat intelligence, which has been issuing medical device advisories since the Stryker attack, now has an explicit mandate to work with HHS on sector-wide standards.
3. Grant funding for cybersecurity improvements. The bill creates a structured grant program within HHS to strengthen cybersecurity. Practically, this means the federal government is about to fund a wave of cybersecurity upgrades across the health sector. Every hospital and health system that processes your device data or connects to your devices is going to be scrutinized.
What It Does Not Cover (But You Should Treat As If It Does)
The bill is not directly a medical device regulation. FDA's 524B authority and the premarket cybersecurity submission requirements remain the governing framework for device manufacturers. S.3315 does not replace or supersede FDA cybersecurity guidance.
But the downstream effect is clear. When the hospitals and health systems buying and deploying your devices are legally required to document their security posture, they are going to start asking harder questions about the devices they connect to their networks. Procurement security questionnaires are going to get longer. Hospital security teams are going to push back on devices that cannot demonstrate a documented cybersecurity program.
The companies that have clean, documented cybersecurity packages, SBOMs, vulnerability management plans, and penetration test results, are going to have a much easier time in those procurement conversations than the ones scrambling to piece something together.
The Timing Is Not a Coincidence
This bill cleared committee in the same quarter that two major medical device companies were hit by nation-state attacks. Stryker had 200,000 devices wiped. A second US medical institution was hit two weeks later. RAPS is already asking whether FDA will use these events to reassess cybersecurity requirements.
Congress is moving because the threat environment is real and visible. The Stryker attack was not obscure. It made NBC News, the Justice Department, and industry trade press. When a wiper attack on a medical device company is getting covered by mainstream outlets, legislators pay attention.
What to Do Now
If your company is already submitting to FDA with a full cybersecurity documentation package, you are ahead of most of the market. But "ahead" is not the same as "done."
Three things worth doing now:
Review your SBOM quality. S.3315's mandate for transparency extends into the supply chain. If you can't produce a clean, current SBOM, that is a gap that will matter both for FDA submissions and for hospital procurement conversations.
Check your penetration testing cadence. The bill specifically calls out pen testing as a mandatory requirement. If your last pen test was done before your 510(k) submission and nothing has changed since, you are running on stale assurance.
Document your incident response plan. The Stryker attack demonstrated what happens when a device manufacturer does not have a documented, tested plan for handling a destructive attack. The gap between ransomware response (pay the attacker, restore files) and wiper response (no files to restore) is significant. FDA has already signaled that incident response planning is part of the cybersecurity expectation.
If you need to know where you stand before this regulatory environment gets tighter, the FDA 524B Readiness Assessment at cybermed.ai is a practical place to start.
Jose Bohorquez is the founder of CyberMed, a cybersecurity consulting firm that helps medical device manufacturers meet FDA cybersecurity requirements for 510(k) and De Novo submissions.