• Decrease font size
  • Return font size to normal
  • Increase font size
U.S. Department of Health and Human Services

Recognized Consensus Standards

  • Print
  • Share
  • E-mail
Super Search Devices@FDA
510(k) | DeNovo | Registration & Listing | Adverse Events | Recalls | PMA | HDE | Classification | Standards
CFR Title 21 | Radiation-Emitting Products | X-Ray Assembler | Medsun Reports | CLIA | TPLC

New Search Back To Search Results
Part B: Supplementary Information Sheet (SIS)
FR Recognition List Number 053 Date of Entry 12/23/2019 
FR Recognition Number 13-112
AAMI TIR97:2019
Principles for medical device security - Postmarket risk management for device manufacturers
This TIR provides guidance for addressing postmarket security risk management within the risk management framework defined by ANSI/AAMI/ISO 14971. While it is based on the ANSI/AAMI/ISO 14971 framework for medical device risk management, most concepts are applicable to any healthcare product that requires postmarket management of security.

This guidance is intended to assist manufacturers and other users of the standard with the following:
-establishing an enterprise-wide process to manage security postmarket interactions with users and other stakeholders;
-creating design features that enable postmarket management of security risk and effective integration with healthcare delivery organization (HDO) network security policies and technologies, or other operational contexts;
-understanding and communicating the security expectations from manufacturers to those who deploy medical devices in a user environment;
-implementing processes to monitor fielded devices for newly discovered security vulnerabilities both from the devices themselves and from other sources;
-implementing processes to assess both safety and security risk to decide when action is required;
-developing a coordinated vulnerability disclosure process;
-implementing processes to manage device security patching; and
-planning for device retirement.

The guidance provided by this document is applicable to the production and post-production phases of the life-cycle of a medical device (hereinafter referred to as the "postmarket" phase).

This TIR expands the information provided in Clause 4 "Production and post-production feedback loop" of ANSI/AAMI/ISO TIR24971:2013 by highlighting the need for proactive monitoring to assess threats and detect vulnerabilities. It references the coordinated safety/security risk assessment approach that was presented in Clause 9 of AAMI TIR57:2016, Production and post-production information.
Extent of Recognition
Complete standard
Rationale for Recognition
The purpose of the recognition of this document is to provide guidance for manufacturers' security risk management in the postmarket phase.
Relevant FDA Guidance and/or Supportive Publications*
Postmarket Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued December 2016.
FDA Technical Contact
 Brian Fitzgerald
Standards Development Organization
AAMI Association for the Advancement of Medical Instrumentation http://www.aami.org
FDA Specialty Task Group (STG)
*These are provided as examples and others may be applicable.