The FDA has added new information security recommendations from the Association for the Advancement of Medical Instrumentation (AAMI) to its list of recognized standards less than a month after it was approved by the association’s Device Security Working Group. AAMI TIR57, Principles for medical device security—risk management, which is expected to be publicly available this summer, provides manufacturers with guidance on developing a cybersecurity risk management process for medical devices.
“The speed that the FDA recognized TIR57 really is a sign of the times,” says Wil Vargas, a standards director at AAMI. “The rise in cyberattacks has made everyone more aware of just how vulnerable healthcare technology can be. Manufacturers want—and are looking for—reliable guidance to protect their devices and prevent such attacks. TIR57 provides an entry point for the ‘good guys’ to address this issue.”
TIR57 blends security and safety risk management by showing how to apply the principles presented in ANSI/AAMI/ISO 14971, Medical devices—Application of risk management to medical devices, to security threats that could impact the confidentiality, integrity, and availability of a medical device or information processed by the device.
“It seemed natural to anchor our document in ANSI/AAMI/ISO 14971 since manufacturers are already familiar with it and have compliant processes in place,” says Ken Hoyme, distinguished scientist at Adventium Labs and co-chair of the AAMI Device Security Working Group. “Then we decided to describe how to link that process with the primary document on security risk management for IT systems, NIST SP800-30, Guide for conducting risk assessment.”
TIR57 lists six steps involved in the security risk management process:
- Security risk analysis
- Security risk evaluation
- Security risk control
- Evaluation of overall residual security risk acceptability
- Security risk management report
- Production and postproduction information
To make the guidance more tangible, the report is use-case driven, guiding manufacturers through the entire process using the fictional “Kidneato” implantable device and its accessories. “The goal is that by using TIR57, manufacturers will be able to integrate cybersecurity risk discovery and discussions into their development process, allowing them to identify and address potential issues that might not have been seen as early,” Vargas says.
With the FDA’s stamp of approval, such risk management activities will be considered during premarket submission.
While the FDA has its own premarket cybersecurity guidance document that details what it expects in a submission, Hoyme says manufacturers would be well served by following TIR57. “Recognizing TIR57 means that the agency acknowledges the process we recommended. It also means manufacturers know that if they implement the process defined by TIR57, they will be generating the information expected by the FDA in their submissions,” Hoyme says.
Because the threat environment can change so quickly, TIR57 also recommends that manufacturers plan for a periodic review of the security of their devices and ensure that they are able to respond to security issues throughout the expected life of a device. To assist with this process, Hoyme says the Device Security Working Group has developed a detailed outline on post-market cybersecurity activities and plans to bring together stakeholders to define the details on how to do these activities well.
“If any AAMI members have interest in the post-market work, we are just getting started and would love to have more participation?especially from representatives of the health care delivery organization community who understand the issues that arise when these devices are interconnected,” Hoyme says.