A new standard for medical device security provides valuable guidance for manufacturers.

Any builder can attest to the fact that a strong foundation is needed for a sturdy house. Neglect the groundwork, and the walls and roof will never hold. Everything is bound to come tumbling down.

For the members of the AAMI Medical Device Security Working Group, some form of this maxim must have been top of mind. The group recently developed a new standard on security risk management for device manufacturers—ANSI/AAMI SW96—building it on the cement and steel already laid down by two technical information reports (TIRs) on the same subject.

ANSI/AAMI SW96:2023, Standard for medical device security—Security risk management for device manufacturers, is the first consensus standard to provide specific requirements for managing security across a product’s entire life cycle. The document, released earlier this year, is based on guidance previously published in AAMI’s TIR57:2016 and TIR97:2019.

• AAMI TIR57:2016/(R)2023; Principles for medical device security—Risk management, is primarily focused on addressing security risk during product design.
  
  
• AAMI TIR97:2019/(R)2023; Principles for medical device security—Postmarket risk management for device manufacturers, offers guidance related to managing security risk during and after product production.

The two TIRs are meant to be used together and within the risk management framework defined by the International Organization for Standardization’s global standard, ISO 14971:2019.

The publication of ANSI/AAMI SW96:2023 comes at a time when managing medical device security risks is becoming more difficult by the day. A study from 2022 in The Journal of the American Medical Association found that ransomware attacks against healthcare organizations more than doubled between 2016 and 2021, for example. And a 2023 cybersecurity report by the U.S. Department of Health and Human Service’s Office of Information Security noted that healthcare data breaches “have consistently trended upward” over the last decade. Cybercriminals, the HHS reports, “are continuously seeking to make their attacks more resilient, more disruptive, and harder to counter.”

The issue of cybersecurity has become so critical that the 2023 “omnibus” bill signed into law by President Biden includes a section on “Ensuring Cybersecurity of Medical Devices” that amends product submission requirements spelled out in the Federal Food, Drug, and Cosmetic Act. Responding to the amendment this March, the FDA published new guidance on medical device security that advises manufacturers to submit “a plan to monitor, identify, and address…postmarket cybersecurity vulnerabilities and exploits” and to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.”

While SW96 was developed before the FDA guidance came out, the standard provides device manufacturers with a road map to complying with its recommendations. Postmarket monitoring of device vulnerabilities and exploits, for example, is among the topics addressed in SW96, as are important cybersecurity measures like patching and creating a software bill of materials (SBOM).

In a summary of the standard and its implications written by four industry leaders who played major roles in its development (Charles S. Farlow, et al., Biomedical Instrumentation & Technology), the authors say SW96 “advances the state of the art” in security risk management by focusing on several “elements” that are key to the risk management process. One section of the standard, for example, is all about security risk analysis, while another covers the evaluation of “overall security residual risk acceptability.” Under “General Requirements for Security Risk Management,” it explains what manufacturers need to include in their security risk management plans. And within clause 10, “Production and Post-production Activities,” it specifies that device makers must establish “a process for identifying and managing security incidents.”

The authors of the BI&T analysis also point to the standard’s supporting annexes and explain how they were developed to expand on topics “of particular interest to practitioners in the security risk management field.” The annexes include detailed information on everything from working with third-party service organizations to best practices in threat modeling.

TIR57 and TIR97 “have been widely successful,” the BI&T authors note, as resources for industry stakeholders, but they’re limited by the simple fact that they’re only technical information reports. They’re reviews of technical issues and statements of expert opinion, but because they’re TIRs, they don’t include any requirements that medical device manufacturers must follow.

Now, with ANSI/AAMI SW96:2023, device makers have a playbook they can use to stay ahead of existing and emerging cyberthreats while adhering to federal guidance on the subject. For years, manufacturers had their foundation, but now they finally have a house built to last.