The steps that involve manufacturing, regulation, planning, assessment, acquisition, and management of medical devices are complex but essential to guarantee their quality, safety, and compatibility with the settings in which they are used. ANSI/AAMI SW96:2023—Standard For Medical Device Security – Security Risk Management For Device Manufacturers provides requirements to perform security risk management for medical devices during their entire life cycle activity.
Why is Security for Medical Devices Important?
A medical device can be any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material, or other similar or related article that is intended by the manufacturer to be used for a medical purpose. Security risk management is an integral part of the medical device product development lifecycle. It helps medical device manufacturers ensure that the product is reliable, works as expected and causes no harm to the patients, operators, or the environment. Essentially, the main purpose of the risk management cycle is to reduce or mitigate the chances of failure in the product. ANSI/AAMI SW96:2023 details the various policies, procedures and practices used to analyze, evaluate, control, and monitor risks systematically in medical devices.
The ANSI/AAMI SW96:2023 Standard For Medical Device Security
ANSI/AAMI SW96:2023 provides requirements and guidance on methods to perform security risk management for medical devices in the context of the safety risk management process required by ISO 14971:2019, Medical devices—Application of risk management to medical devices. This standard is applicable to the entire life cycle of a medical device including design, production, and post-production phases. It is intended to be used in conjunction with AAMI TIR57 and AAMI TIR97.
The objective of ANSI/AAMI SW96:2023 is to assist manufacturers in identifying and evaluating threats, vulnerabilities, and assets associated with medical devices and their components and supply chain vendors. Additionally, the standard aims to create design features that enable production and post-production management of security risk and effective integration with healthcare delivery organization (HDO) network security policies and technologies, or other operational contexts.
Security Risk Management Process in ANSI/AAMI SW96:2023
ANSI/AAMI SW96:2023 specifies that the security risk management process should include these elements:
1. Security Risk Analysis
- Selection of product security standards to be considered and implemented across the medical device’s life cycle
- Threat modeling: Execution of threat modeling across the medical device’s life cycle to drive initial identification of threats, associated security risk control measures and security design requirements
- Establishment of organizational capabilities for the identification and detection of security vulnerabilities across the medical device’s life cycle
2. Security Risk Evaluation
- Establishment of a security assessment strategy, including the type and frequency of these activities (e.g., testing, code analysis)
- Execution of security testing (e.g., application, interface, hardware, firmware) for medical devices in development as security testing can identify and detect additional security vulnerabilities
3. Security Risk Control
- Identification, design, and implementation of appropriate security risk control measures
- Verification of the implementation and effectiveness of security risk control measures
Evaluation of Overall Security Residual Risk Acceptability
- Determining if the overall security residual risk posed by the medical device is acceptable
5. Security Risk Management Review
- Preparation of a security risk management report
6. Production and Post-Production Activities
- Vulnerability monitoring process to identify potential new security risks associated with both manufacturer-developed software and third-party components
- Establishment of a process to maintain awareness of new threats (e.g., establishing a threat intelligence program or using membership to ISAOs or similar organizations of threat intelligence sources in order to maintain this awareness)
- Security incident response plan
- Vulnerability disclosure and communication plans including the consideration of a Coordinated Vulnerability Disclosure process
- Establishment of a customer communication process (e.g., operating environment assumptions, patch management communications, Software Bill of Materials (SBOM))
- Periodic reviews of security risk controls and the security landscape to ensure that all security risks have been considered and all security risk control activities are complete
- Identification of vulnerabilities and development, testing, and deployment of security patches
Management should review the suitability of the security risk management process at planned intervals to ensure continuing effectiveness of the security risk management process and shall document any decisions and actions taken. These persons in management should have knowledge of and experience with the particular medical device (or similar medical devices) and its use, the technologies involved, and the safety and security risk management techniques employed.
ANSI/AAMI SW96:2023—Standard For Medical Device Security – Security Risk Management For Device Manufacturers is available on the ANSI Webstore.