AAMI TIR97-2019 PDF

Full title and description

AAMI TIR97:2019 — Principles for medical device security — Postmarket risk management for device manufacturers. This Technical Information Report provides guidance to medical device manufacturers on methods and processes for managing security risks for devices after they are marketed, and is intended to be used alongside AAMI TIR57 and ISO 14971 as part of a device safety and risk-management program.

Abstract

This TIR describes principles and practical activities for postmarket cybersecurity risk management of medical devices: identifying and assessing vulnerabilities discovered after deployment, monitoring and information sources, vulnerability disclosure and coordination, compensating controls, mitigation/patch delivery, incident response and communications, and integration of security risk activities with the safety risk-management processes required by ISO 14971. It is aimed at helping manufacturers maintain device safety and security across the product lifecycle.

General information

• Status: Current (originally published 2019; published/reissued as AAMI TIR97:2019/(R)2023).
• Publication date: 27 September 2019 (reissued/announced as (R)2023).
• Publisher: AAMI (Association for the Advancement of Medical Instrumentation).
• ICS / categories: Medical device safety and security; risk management; software/cybersecurity for healthcare devices.
• Edition / version: TIR97:2019 (reissued/reformatted as (R)2023). ISBN 978-1-57020-725-9.
• Number of pages: 56 pages.

Scope

Provides guidance for performing postmarket security risk management for marketed medical devices within the safety risk-management framework defined by ISO 14971. Topics include monitoring for new vulnerabilities, assessing the impact of discovered vulnerabilities on device safety and performance, prioritizing and documenting risk-mitigation actions (including compensating controls, patches, and updates), coordinating vulnerability disclosure and stakeholder communications, and integrating postmarket security activities with existing regulatory and quality processes. The report is directed primarily at device manufacturers and their cybersecurity, regulatory, quality, and field-support teams.

Key topics and requirements

• Postmarket vulnerability monitoring and threat intelligence sources.
• Security risk assessment and mapping security risks into the ISO 14971 safety risk-management process.
• Coordinated vulnerability disclosure and stakeholder communication procedures.
• Use of compensating controls, mitigation timelines and delivery (including temporary controls while fixes are developed and validated).
• Planning and delivering security updates/patches, and considerations for change control and validation.
• Incident detection, response planning, investigation, reporting and post-incident review.
• Documentation and traceability of postmarket security activities within quality and regulatory systems.

Typical use and users

Used by medical device manufacturers (product security, regulatory affairs, quality, software engineering, and field service teams) to implement or improve postmarket cybersecurity processes. Also useful for healthcare technology management, hospital biomedical engineering, cybersecurity assessors, and consultants who support secure device deployment and incident response. Training courses and workshops commonly reference this TIR to translate principles into operational postmarket programs.

Related standards

Intended to be used with AAMI TIR57 (Principles for medical device security — Risk management) and with ANSI/AAMI/ISO 14971 (application of risk management to medical devices). It is consistent with FDA postmarket cybersecurity guidance and references NIST guidance and other IEC and industry documents on medical device and health‑IT security. Other related AAMI documents (and later AAMI cybersecurity standards such as SW96) expand on lifecycle and design-phase requirements.

Keywords

postmarket cybersecurity; medical device security; vulnerability management; incident response; ISO 14971; risk management; coordinated disclosure; patches and updates; compensating controls; manufacturer responsibilities.

FAQ

Q: What is this standard?

A: AAMI TIR97:2019 is a Technical Information Report that provides principles and guidance for medical device manufacturers to manage cybersecurity risks after devices are placed on the market.

Q: What does it cover?

A: It covers postmarket activities including monitoring for vulnerabilities, assessing and prioritizing security risks, applying compensating controls, issuing mitigations or patches, coordinated disclosure and communications, and integrating these activities with the safety risk-management process required by ISO 14971.

Q: Who typically uses it?

A: Primary users are medical device manufacturers (cybersecurity teams, quality/regulatory affairs, software/engineering, and field service). It is also referenced by healthcare technology managers, security assessors, and consultants.

Q: Is it current or superseded?

A: The document was published 27 September 2019 and has an (R)2023 reissue; it is recognized as relevant guidance and is listed among standards the FDA recognizes for medical device cybersecurity topics. Users should verify the latest AAMI catalogue or regulatory recognition lists for any newer revisions.

Q: Is it part of a series?

A: Yes — TIR97 is part of AAMI’s body of cybersecurity guidance and is intended to be used in conjunction with TIR57 and other AAMI/ISO documents (and complements regulatory guidance such as the FDA’s postmarket cybersecurity guidance).

Q: What are the key keywords?

A: Postmarket cybersecurity, vulnerability management, incident response, coordinated disclosure, compensating controls, patch management, ISO 14971, medical device security, manufacturer postmarket responsibilities.