AAMI TIR57: Principles for medical device security—Risk management

This technical information report provides medical device manufacturers with guidance on developing a cybersecurity risk management process for their products.

In a sign of TIR57’s relevance in today’s environment of hackers and security breaches, the Food and Drug Administration (FDA) added the document to its list of recognized standards less than a month after it was approved by the association’s Device Security Working Group. TIR57 blends security and safety risk management by showing how to apply the principles presented in ANSI/AAMI/ISO 14971, Medical devices—Application of risk management to medical devices, to security threats that could impact the confidentiality, integrity, and/or availability of a medical device or information processed by the device.

TIR57 lists six steps involved in the security risk management process:

  • Security risk analysis
  • Security risk evaluation
  • Security risk control
  • Evaluation of overall residual security risk acceptability
  • Security risk management report
  • Production and postproduction information


To make it both practical and accessible, TIR57 guides manufacturers through the process using the fictional “Kidneato” implantable device and its accessories.

While TIR57 is written primarily for medical device manufacturers, others who work with technology in healthcare—including design firms, software developers, and researchers—might find it helpful in understanding cyber vulnerabilities and how to best address them. TIR57 could help healthcare delivery organizations set expectations for vendors who supply medical devices.

Published: June 2015; 70 pages

Product CodeFormatList PriceMember Price
TIR57 Print $258 $153
TIR57 PDF $258 $153
Buy Online