Key Standards and Their Roles

The standards that matter most for medical device cybersecurity are ANSI/AAMI SW96 for security risk management, ISO 14971 for overall risk management, IEC 62304 for the software lifecycle, and ISO 81001-5-1 for health software security, backed by NIST and FIPS references for specific controls. Each fills a different role in a submission, and FDA formally recognizes most of them.

2.5.1 Core AAMI Standards

The Association for the Advancement of Medical Instrumentation (AAMI) develops many standards referenced by FDA. Understanding these is essential:

ANSI/AAMI SW96:2023 - Security Risk Management

• Purpose: Provides a framework for managing security risks
• Key Feature: Largely replaces the older TIR57, though TIR57 is still helpful
• Why it matters: FDA recognizes this as the primary security risk management standard
• What it covers: Security risk analysis, evaluation, control, and monitoring

AAMI TIR97:2019 - Post-market Security

• Purpose: Focuses on security after devices are on the market
• Key Feature: Addresses ongoing vulnerability management
• Why it matters: Aligns with FDA's post-market expectations
• What it covers: Monitoring, assessment, and response processes

AAMI TIR57:2016/(R)2023 - Security Risk Management Principles

• Status: Largely superseded by SW96, but still helpful for understanding concepts
• Purpose: Original framework for medical device security
• Why it matters: Historical context and foundational concepts

2.5.2 Foundational Risk Management Standards

ISO 14971:2019 - Medical Device Risk Management

• The Foundation: All medical device risk management builds on this
• Security Integration: Security risks must be managed within this framework
• Key Concept: Risk management throughout the device lifecycle
• FDA Recognition: Explicitly recognized and expected by FDA

ISO/TR 24971:2020 - Guidance on ISO 14971

• Purpose: Practical guidance for implementing ISO 14971
• Security Relevance: Helps integrate security into overall risk management
• Key Feature: Examples and clarifications

2.5.3 Software Lifecycle Standards

IEC 62304:2006+A1:2015 - Medical Device Software Lifecycle

• Purpose: Software development lifecycle processes
• Security Integration: Security activities within development phases
• Key Feature: Safety classification drives rigor level
• FDA Alignment: Maps to FDA software validation expectations

IEC 80002-1:2009 - Software Risk Management

• Purpose: Applies ISO 14971 specifically to software
• Security Relevance: Framework for software-related security risks
• Key Feature: Bridges general risk management and software

2.5.4 Security-Specific Standards

ISO 81001-5-1:2021 - Health Software Security

• Purpose: Security activities throughout software lifecycle
• Key Feature: Detailed security implementation guidance
• Scope: Both standalone software and software in devices

ISO 29147:2018 & ISO 30111:2013 - Vulnerability Handling

• ISO 29147: Vulnerability disclosure processes
• ISO 30111: Vulnerability handling procedures
• FDA Reference: Mentioned for coordinated disclosure
• Key Feature: Industry-standard approaches to vulnerability management

2.5.5 Infrastructure and Network Standards

IEC 80001 Series - IT Network Risk Management

• Purpose: Managing risks when devices connect to IT networks
• Key Concept: Shared responsibility between manufacturers and hospitals
• Relevance: Critical for connected devices

IEC 62443 Series - Industrial Cybersecurity

• Purpose: Security for industrial control systems
• Medical Relevance: Many medical devices use similar technologies
• Key Feature: Defense-in-depth approach

2.5.6 Cryptographic and Security Control Standards

FIPS Standards (Federal Information Processing Standards)

• FIPS 140-2: Cryptographic module requirements
• FIPS 199: Security categorization
• FIPS 200: Minimum security requirements
• Why they matter: FDA often expects FIPS-validated cryptography

NIST Standards

• NIST Cybersecurity Framework: Overall security program structure
• NIST SP 800-53: Detailed security controls
• NIST SP 800-30: Risk assessment methodology