The Association for the Advancement of Medical Instrumentation (AAMI) announces that the U.S. FDA has officially extended complete recognition to AAMI’s guidance document on medical device cybersecurity, ANSI/AAMI SW96.

Per the FDA, ANSI/AAMI SW96:2023, Standard for medical device security – Security risk management for device manufacturers, is an important resource for medical device sponsors. The agency’s original announcement states, “The FDA encourages use of this new standard to enhance quality and support product performance.”

Matt Williams, vice president of standards at AAMI, says, “FDA recognition of ANSI/AAMI SW96 is a major milestone. Device manufacturers can confidently use the standard to ensure compliance with FDA requirements and to provide better protection for health systems and patients alike. The standard’s adoption definitively furthers AAMI’s mission of promoting ideal patient outcomes.”

Released earlier this year, SW96 raised the bar for medical device cybersecurity risk management during the design and development stages, AAMI officials say. It contains clear guidance related to postmarket monitoring of device vulnerabilities, security measures like patching, and software bills of materials.

It is also the first guidance document that provides specific requirements for managing cybersecurity across a product’s life cycle. The standard sets out several key priorities:  

  1. Security risk analysis should be conducted for individual medical devices and systems to identify and document vulnerabilities and risks.
  2. Security risk evaluation should focus on how devices exist within both hardware and software systems.
  3. Security risk control should use more than one method of ensuring devices and systems are protected.
  4. Security risk management plans for medical devices must be in place before distribution and manufacturers must ensure that any residual risk is acceptable. 

The full standard can be found here.