| Part B: Supplementary Information Sheet (SIS) |
|
FR Recognition List Number
|
061
|
Date of Entry 10/09/2023
|
|
FR Recognition Number
|
13-131
|
| Standard | |
ANSI AAMI SW96:2023
Standard for medical device security - Security risk management for device manufacturers |
|
Scope/AbstractThis standard provides requirements and guidance when addressing design, production and post-production security risk management for medical devices within the risk management framework defined by ISO 14971.
This standard is intended to assist manufacturers and other users of the standard with the following:
- identifying threats, vulnerabilities, and assets associated with medical devices and their components and supply chain vendors;
- estimating and evaluating associated security risks;
- determining appropriate security risk controls to reduce security risks;
- verifying and monitoring the effectiveness of the security risk controls;
- establishing an enterprise-wide process to manage security post-production interactions with users and other stakeholders that ensures security of medical devices and systems used to provide medical care;
- creating design features that enable production and post-production management of security risk and effective integration with healthcare delivery organization (HDO) network security policies and technologies, or other operational contexts;
- coordinating communications with HDOs for security risks;
- understanding and communicating the security expectations from manufacturers to those who deploy their medical devices in a user environment;
- implementing processes to manage and monitor fielded medical devices containing either (1) traditional software (including firmware), (2) programmable logic, and (3) hardware for security vulnerabilities;
- implementing security risk management processes to 1) assess security risk in order to decide when action is required and 2) coordinate with safety risk management processes;
- coordinating with HDOs on security risk management activities;
- developing, implementing, and operationalizing a coordinated vulnerability disclosure process;
- implementing processes to manage medical device security patching; and
- planning for medical device retirement.
This standard is applicable to the entire life cycle of a medical device including design, production, and post-production phases. End of Support (EOS) and End of Guaranteed Support (EOGS) are milestones in the post-production phase of the medical device and may vary according to differing market and jurisdictional factors.
This standard expands on the information provided in Clause 10 "Production and post-production activities" of ISO/TR 24971 by highlighting the need for proactive monitoring to assess threats and detect vulnerabilities. It references the coordinated safety/security risk assessment approach that was presented in Clause 9 of AAMI TIR57 "Production and post-production information."
|
|
| Extent of Recognition
|
Rationale for Recognition
This standard is relevant to medical devices and is recognized on its scientific and technical merit and/or because it supports existing regulatory policies.
Note: A declaration of conformity to this standard may not fulfill all requirements under Section 524B of the Federal Food, Drug, and Cosmetics Act (21 USC §360n-2: Ensuring cybersecurity of devices) [as amended by Section 3305 of the Consolidated Appropriations Act, 2023]. |
|
Public Law, CFR Citation(s) and Procode(s)*
| 21 USC 360n-2: Ensuring cybersecurity of devices |
|
Relevant FDA Guidance and/or Supportive Publications*
1. Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2017.
2. Content of Premarket Submissions for Device Software Functions - Guidance for Industry and Food and Drug Administration Staff, issued June 2023.
3. Off-The-Shelf Software Use in Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued August 2023.
4. Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2019.
5. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions - Guidance for Industry and Food and Drug Administration Staff, issued September 2023.
6. Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software, issued January 2005.
7. Postmarket Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued December 2016.
Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2018. |
|
| FDA Technical Contacts
|
| Standards Development Organizations
|
| FDA Specialty Task Group (STG)
|
| *These are provided as examples and others may be applicable. |
