We use cookies to give you the best experience and to help improve our website
Find out what cookies we use and how to disable them
Standards Development
This document provides requirements and guidance when addressing design, production and postproduction security risk management across the lifecycle within the risk management framework
defined by ISO 14971.
This document assists manufacturers and other users of the standard with the following:
identifying threats, vulnerabilities, and assets associated with medical devices and their components
and supply chain vendors;
estimating and evaluating associated security risks;
determining appropriate security risk controls to reduce security risks;
verifying and monitoring the effectiveness of the security risk controls;
establishing an enterprise-wide process to manage security post-production interactions with users
and other stakeholders that ensures security of medical devices and systems used to provide medical
care;
creating design features that enable production and post-production management of security risk
and effective integration with healthcare delivery organization (HDO) network security policies and
technologies, or other operational contexts;
coordinating communications with HDOs for security risks;
understanding and communicating the security expectations from manufacturers to those who
deploy their medical devices in a user environment;
implementing processes to manage and monitor fielded medical devices containing either (1)
traditional software (including firmware), (2) programmable logic, and (3) hardware for security
vulnerabilities;
implementing security risk management processes to 1) assess security risk in order to decide when
action is required and 2) coordinate with safety risk management processes;
coordinating with HDOs on security risk management activities;
developing, implementing, and operationalizing a coordinated vulnerability disclosure process;
implementing processes to manage medical device security patching; and
planning for medical device retirement.
This document is applicable to the entire life cycle of a medical device including design, production,
and post-production phases. End of Support (EOS) and End of Guaranteed Support (EOGS) are
milestones in the post-production phase of the medical device and may vary according to differing
market and jurisdictional factors.
This document expands on the information provided in Clause 10 “Production and post-production
activities” of ISO/TR 2497 by highlighting the need for proactive monitoring to assess threats and
detect vulnerabilities. It references the coordinated safety/security risk assessment approach that was
presented in Clause 9 of AAMI TIR57, “Production and post-production information.”
The purpose and justification of this work will be aligned with AAMI SW 96 as noted in the attached standard that is currently released in the United States as a full standard. Additional supporting content may be leveraged from AAMI TIR 57 and AAMI TIR 97, which address related content. (See Annex 1: AAMI SW 96 attached)
You are now following this standard. Weekly digest emails will be sent to update you on the following activities:
You can manage your follow preferences from your Account. Please check your mailbox junk folder if you don't receive the weekly email.
You have successfully unsubscribed from weekly updates for this standard.
Comment on proposal
Required form fields are indicated by an asterisk (*) character.