Introduction
On November 7, 2023, FDA formally recognized a new cybersecurity standard titled ANSI AAMI SW96:2023 Standard for medical device security – Security risk management for device manufacturers [1]. This announcement comes after the standard was added to FDA’s consensus standard database in early October. ANSI AAMI SW96:2023 leverages the risk management framework defined in ISO 14971 to establish requirements for addressing security risk management throughout the product life cycle [2]. The recognition of this standard supplements the collection of existing standards, such as IEC 81001-5-1, AAMI TIR57, and AAMI TIR97, which currently shape security management practices in the medical device industry [3]. Following its recognition by FDA, compliance with ANSI AAMI SW96:2023 is not mandatory; however, conformance to this standard may assist device sponsors in meeting relevant FDA regulatory requirements.
Breaking down ANSI AAMI SW96:2023
Co-published by the American National Standards Institute (ANSI) and the Association for the Advancement of Medical Instrumentation (AAMI), ANSI AAMI SW96:2023 aims to harmonize cybersecurity risk management practices with established international safety risk management standards and quality systems expectations [1]. The standard defines requirements for managing security-related risks across the total product lifecycle, based on the risk management principles outlined in ISO 14971. Specifically, ANSI AAMI SW96:2023 specifies requirements for a security risk management process, a security risk management plan, and a security risk management file [2].
Security Risk Management Process
Clause 4.1 of ANSI AAMI SW96:2023 requires that device manufacturers establish a security risk management process. This process should outline methods for identifying threats, vulnerabilities, and device assets, for estimating and evaluating risks, and for implementing risk control measures [2]. The following table provides a more detailed breakdown of the requirements for the security risk management process.
Process Elements | Description |
Security risk analysis | Involves…
A. the identification of security risks, based on intended use and reasonably foreseeable misuse of the device; B. the identification of device assets and other device characteristics that may affect device security; C. the use of threat modeling techniques to determine potential security vulnerabilities; D. security risk estimation |
Security risk evaluation | Involves…
A. the evaluation of each security risk to determine appropriate risk reduction activities; B. the evaluation of security risks relative to their potential safety impacts |
Security risk control | Involves…
A. the identification and implementation of security risk control measures to reduce security risks to acceptable levels; B. the verification of risk control measures to ensure effective implementation; C. the evaluation of security residual risk; D. the performance of benefit-risk analyses when security residual risk remains unacceptable and further risk control is impractical |
Evaluation of overall security residual risk acceptability | Involves the evaluation of overall security residual risk acceptability following the implementation and verification of all security risk controls |
Security risk management review | Involves the review of security risk management activities to…
A. ensure that the security risk management plan has been appropriately implemented; B. confirm the acceptability of the overall security residual risk; C. verify that adequate methods are in place to collect and review information in the production and post-production phases |
Production and post-production activities | Involves the establishment of processes to…
A. monitor, review, and address information relevant to the security of the device in the production and post-production phases; B. reassess security risks and/or assess new security risks when necessary; C. detect previously unrecognized security vulnerabilities, exploits, hazards, and threats; D. identify new methods of exploiting existing vulnerabilities; E. identify and manage security incidents; F. provide security patches and other security software updates as needed |
Security Risk Management Plan
In accordance with the security risk management process, ANSI AAMI SW96:2023 requires the development of a security risk management plan. The security risk management plan is intended to define specific activities, procedures, and systems to be implemented to meet the requirements of the security risk management process. The required components of a security risk management plan are outlined in Clause 4.4 of the standard [2].
Security Risk Management File
In addition to the security risk process and plan, ANSI AAMI SW96:2023 requires manufacturers to establish and maintain a security risk management file for each medical device system and subsystem. As outlined in Clause 4.7 of the standard, the purpose of the security risk management file is to provide traceability between each security vulnerability and its corresponding security risk analysis, evaluation, control measure implementation and verification, and residual risk evaluation. Additionally, the security risk management file should incorporate the security risk management plan and required records of its fulfillment [2].
Drawing parallels between ANSI AAMI SW96:2023 and other security standards
IEC 81001-5-1
IEC 81001-5-1 Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle is another key consensus standard which critically guides the development of secure medical devices. However, the principles outlined in IEC 81001-5-1 have a different purpose than the security risk management principles presented in ANSI AAMI SW96:2023.
Clause 7 of IEC 81001-5-1 addresses security risk management, directly overlapping with ANSI AAMI SW96:2023. However, IEC 81001-5-1 adopts a broader approach to cybersecurity, extending beyond the scope of risk management activities. Specifically, it outlines a secure product development framework that emphasizes the integration of cybersecurity practices throughout the software development life cycle [3].
Ultimately, these distinct frameworks complement and inform one another, with the outputs of security risk management being used to shape the design and development of secure products.
AAMI TIR57 and AAMI TIR97
AAMI TIR57 Principles for Medical Device Security – Risk Management and AAMI TIR97 Principles for Medical Device Security – Postmarket Risk Management for Device Manufacturers are technical information reports that offer detailed guidance for managing security risk in different phases of the product lifecycle. AAMI TIR57 focuses on the premarket phase while AAMI TIR97 addresses postmarket risk management.
These subordinate technical reports provide supplementary guidance to ANSI AAMI SW96:2023 by presenting more detailed implementation strategies for security risk management [2]. Consequently, using AAMI TIR57 and AAMI TIR97 in conjunction can provide a comprehensive approach for addressing the security requirements outlined by ANSI AAMI SW96:2023.
Conclusion
FDA’s recent recognition of ANSI AAMI SW96:2023 provides an additional resource for device manufacturers as they address cybersecurity concerns. Moving forward, the continued development, recognition, and adoption of cybersecurity standards will promote industry-wide consistency, streamline premarket review, and enhance resilience against cybersecurity threats.
Need guidance on how to implement the security risk management principles outlined in ANSI AAMI SW96:2023 or any other applicable risk management strategies? Contact MEDIcept for help at sales@medicept.com.
Citations
[1] “FDA Recognizes Key Cybersecurity Standard.” Accessed: Nov. 06, 2023. [Online]. Available: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10512983/
[2] Standard for medical device security–Security risk management for device manufacturers, ANSI/AAMI SW96:2023, 2023.
[3] Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle, IEC 81001-5-1:2021, 2021.
Abby Rieck – Associate Medical Device Consultant