FDA Points Manufacturers to AAMI Cybersecurity Recommendations


Posted July 5, 2016

The Food and Drug Administration (FDA) has added AAMI’s new information security recommendations to its list of recognized standards less than a month after it was approved by the association’s Device Security Working Group. AAMI TIR57, Principles for medical device security―Risk management, which is expected to be publicly available this summer, provides manufacturers with guidance on developing a cybersecurity risk management process for medical devices.

Ever since a Hollywood, CA hospital paid to regain access to ransomware-encrypted files earlier this year, it seems as though hackers have put the healthcare industry in their crosshairs. In fact, last week, the healthcare records of nearly 10 million Americans were reportedly put up for sale after they were stolen from three large health organizations and a U.S. insurance company.

“The speed that the FDA recognized TIR57 really is a sign of the times,” said Wil Vargas, a standards director at AAMI. “The rise in cyberattacks has made everyone more aware of just how vulnerable healthcare technology can be. Manufacturers want—and are looking for—reliable guidance to protect their devices and prevent such attacks. TIR57 provides an entry point for the ‘good guys’ to address this issue.”

TIR57 blends security and safety risk management by showing how to apply the principles presented in ANSI/AAMI/ISO 14971, Medical devices—Application of risk management to medical devices, to security threats that could impact the confidentiality, integrity, and/or availability of a medical device or information processed by the device.

“It seemed natural to anchor our document in ANSI/AAMI/ISO 14971 since manufacturers are already familiar with it and have compliant processes in place,” said Ken Hoyme, distinguished scientist at Adventium Labs and co-chair of the AAMI Device Security Working Group. “Then we decided to describe how to link that process with the primary document on security risk management for IT systems, NIST SP800-30, Guide for conducting risk assessment.”

TIR57 lists six steps involved in the security risk management process:

  • Security risk analysis
  • Security risk evaluation
  • Security risk control
  • Evaluation of overall residual security risk acceptability
  • Security risk management report
  • Production and postproduction information

To make the guidance more tangible, the report is use-case driven, guiding manufacturers through the entire process using the fictional “Kidneato” implantable device and its accessories.

“The goal is that by using TIR57, manufacturers will be able to integrate cybersecurity risk discovery and discussions into their development process, allowing them to identify and address potential issues that might not have been seen as early,” Vargas said.

With the FDA’s stamp of approval, such risk management activities will be considered during premarket submission.

While the FDA has its own premarket cybersecurity guidance document that details what it expects in a submission, Hoyme said manufacturers would be well served by following TIR57.

“Recognizing TIR57 means that the agency acknowledges the process we recommended. It also means manufacturers know that if they implement the process defined by TIR57, they will be generating the information expected by the FDA in their submissions,” Hoyme explained.

Because the threat environment can change so quickly, TIR57 also recommends that manufacturers plan for a periodic review of the security of their devices and ensure that they are able to respond to security issues throughout the expected life of a device.

To assist with this process, Hoyme said that the Device Security Working Group has developed a detailed outline on postmarket cybersecurity activities and plans to bring together stakeholders to define the details on how to do these activities well.

“If any AAMI members have interest in the postmarket work, we are just getting started and would love to have more participation―especially from representatives of the healthcare delivery organization community who understand the issues that arise when these devices are interconnected,” Hoyme said.

For more information, please contact Wil Vargas at wvargas@aami.org.