The Food and Drug Administration (FDA) has added AAMI’s new information security recommendations to its list of recognized standards less than a month after it was approved by the association’s Device Security Working Group. AAMI TIR57, Principles for medical device security – Risk management, which is expected to be publicly available this summer, provides manufacturers with guidance on developing a cybersecurity risk management process for medical devices.
Ever since a California hospital paid to regain access to ransomware-encrypted files earlier this year, it seems as though hackers have put the health care industry in their crosshairs. In fact, in late June, the health care records of nearly 10 million Americans were reportedly put up for sale after they were stolen from three large health organizations and a U.S. insurance company.
“The speed that the FDA recognized TIR57 really is a sign of the times,” said Wil Vargas, a standards director at AAMI. “The rise in cyberattacks has made everyone more aware of just how vulnerable healthcare technology can be. Manufacturers want – and are looking for – reliable guidance to protect their devices and prevent such attacks. TIR57 provides an entry point for the ‘good guys’ to address this issue.”
TIR57 blends security and safety risk management by showing how to apply the principles presented in ANSI/AAMI/ISO 14971, Medical devices – Application of risk management to medical devices, to security threats that could impact the confidentiality, integrity, and/or availability of a medical device or information processed by the device.
“It seemed natural to anchor our document in ANSI/AAMI/ISO 14971 since manufacturers are already familiar with it and have compliant processes in place,” said Ken Hoyme, distinguished scientist at Adventium Labs and co-chair of the AAMI Device Security Working Group. “Then, we decided to describe how to link that process with the primary document on security risk management for IT systems, NIST SP800-30, Guide for conducting risk assessment.”
TIR57 lists six steps involved in the security risk management process. The six steps are:
- Security risk analysis
- Security risk evaluation
- Security risk control
- Evaluation of overall residual security risk acceptability
- Security risk management report
- Production and postproduction information
With the FDA’s stamp of approval, such risk management activities will be considered during premarket submission.
While the FDA has its own premarket cybersecurity guidance document that details what it expects in a submission, Hoyme said manufacturers would be well served by following TIR57.
“Recognizing TIR57 means that the agency acknowledges the process we recommended. It also means manufacturers know that if they implement the process defined by TIR57, they will be generating the information expected by the FDA in their submissions,” Hoyme explained.
Because the threat environment can change so quickly, TIR57 also recommends that manufacturers plan for a periodic review of the security of their devices and ensure that they are able to respond to security issues throughout the expected life of a device.
To assist with this process, Hoyme said that the Device Security Working Group has developed a detailed outline on postmarket cybersecurity activities and plans to bring together stakeholders to define the details on how to do these activities well.
For more information, visit the AAMI website.
