Sen. Tom Cotton Proposes Legislation Against Cyber Threats from Chinese-Made Medical Devices

On Wednesday, Senator Tom Cotton (R-AR) introduced a new bill aimed at safeguarding U.S. patients from cyber threats associated with networked medical devices manufactured in China.

“Chinese medical devices pose significant risks to both the privacy and safety of American patients. This legislation aims to tackle these dangers,” Cotton stated in a message to Breitbart News.

His proposal, called the China Patient Cyber Threat Countermeasures (CCP Countermeasures) Act, includes several key provisions:

• It mandates that the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) review older Chinese-made network medical devices to detect any cybersecurity vulnerabilities.
• It directs the FDA to initiate recalls of such devices that could compromise patient safety.
• The Department of Health and Human Services (HHS) alongside CISA is also tasked with providing Congress a report that outlines the cybersecurity readiness of the U.S. healthcare sector, evaluates China’s share in the U.S. medical device market, and explores ways to enhance the cybersecurity of American-made medical devices.

Cotton initially raised these concerns with the FDA in May, highlighting serious cybersecurity issues within Chinese networked medical devices.

“I am writing to share my worries regarding cybersecurity weaknesses linked to network medical devices coming from China. Allowing American patients to use these potentially compromised devices poses dangers both for national security and public health,” he mentioned in a letter addressed to Acting FDA Commissioner Kyle Diamantas.

He elaborated on the risks tied to these devices: the FDA discovered that when connected to the Internet, one device could unintentionally access sensitive patient health data. A breach in this information could lead to identity theft, insurance fraud, or even more complex scams targeted at U.S. patients. CISA also warned that the device could allow an unidentified user to take remote control, raising the risk that malicious attackers might alter its functionality or misinform diagnoses related to serious conditions like heart failure or high blood pressure. Specifically, on May 14, 2025, the FDA issued a Class II recall for the Contee CMS8000 due to these concerns.

“The FDA has started requiring medical device makers to prove enhanced cybersecurity measures to gain premarket approval in 2023,” Cotton noted. “However, before these standards were instituted, previously marketed devices were not subject to similar scrutiny. Therefore, additional action is essential to safeguard Americans from these risks.”

“It’s critical to protect American privacy and ensure that cybercriminals from hostile nations cannot gain access to our health data. I am eager to collaborate on this important issue,” he concluded in his correspondence with the FDA.