AAMI News August 2016

Rise in Cyberattacks Sets Stage for AAMI Guidance

With millions of online health records being exposed or stolen on a monthly basis, healthcare facilities are under increasing pressure to beef up their cybersecurity protections. In turn, these facilities are calling on the makers of medical devices and other types of healthcare technology to do more to ensure the security of their products.

CyberattacksAgainst this backdrop, AAMI has released a new technical information report (TIR) intended to help manufacturers better identify and address cyberthreats during medical device development.

AAMI TIR57, Principles for medical device security—Risk management, outlines a process that blends security and safety risk management. The Food and Drug Administration (FDA) has already added this TIR to its list of recognized standards—a move that came less than a month after it was approved by AAMI’s Device Security Working Group. With the FDA’s stamp of approval, a manufacturer’s risk management activities, as detailed in TIR57, will be considered during premarket submission.

“Recognizing TIR57 means that the agency acknowledges the process we recommended. It also means manufacturers know that if they implement the process defined by TIR57, they will be generating the information expected by the FDA in their submissions,” explained Ken Hoyme, distinguished scientist at Adventium Labs and co-chair of the AAMI working group.

The problem of cybersecurity breaches is significant and growing. In June alone, an estimated 11,061,649 healthcare records were exposed or stolen, almost six times the number reported between January and May, based on figures from the Department of Health and Human Services’ Office for Civil Rights.

“I call it the age of the digital pathogen,” said Mike Ahmadi, global director of critical systems security at Synopsys Software Integrity Group in Mountain View, CA, during his cybersecurity presentation at the AAMI 2016 Conference & Expo. “We have digital diseases that are affecting medical devices.”

TIR57 seeks to help manufacturers analyze, evaluate, control, and mitigate cyberthreats by applying the principles presented in ANSI/AAMI/ISO 14971, Medical devices—Application of risk management to medical devices, to vulnerabilities that could impact the confidentiality, integrity, and/or availability of a medical device or information processed by the device.

“It seemed natural to anchor our document in ANSI/AAMI/ISO 14971 since manufacturers are already familiar with it and have compliant processes in place,” Hoyme said.

The goal, according to the committee, is to have manufacturers integrate cybersecurity risk discovery and discussions into their development process.


AAMI TIR57, Principles for medical device security—Risk management

  • List Price: $243
  • AAMI Member: $146
  • Order Code: TIR57 or TIR57-PDF

To order, call 1-877-249-8226 or visit www.aami.org/store.