AAMI TIR57-2016 (2023) PDF

Full title and description

AAMI TIR57:2016/(R)2023 — Principles for medical device security — Risk management. This Technical Information Report (TIR) provides guidance for performing information-security risk management for medical devices and for integrating security risk considerations into the safety risk management process required by ISO 14971.

Abstract

TIR57 offers practical guidance to help manufacturers and other stakeholders identify assets, threats and vulnerabilities associated with medical devices; estimate and evaluate security-related risks; select and implement controls to reduce risk; and monitor the effectiveness of those controls throughout the lifecycle. The report includes explanatory annexes and illustrative examples to show how security risk management can be integrated with existing safety-risk processes.

General information

• Status: Published Technical Information Report; reaffirmed/rolled as AAMI TIR57:2016/(R)2023.
• Publication date: Original designation 2016 (TIR57:2016); PDF/store listing shows a publication/release entry (3 September 2019); reaffirmation noted in 2023.
• Publisher: Association for the Advancement of Medical Instrumentation (AAMI).
• ICS / categories: Medical device security / Software & informatics; risk management; medical device cybersecurity. (Specialty classification in regulatory listings: Software/Informatics).
• Edition / version: TIR57:2016/(R)2023 (Technical Information Report; (R) denotes reaffirmation/reissue).
• Number of pages: 84 pages (PDF/product listing).

Scope

The report's scope is to provide guidance on methods to perform information-security risk management for medical devices within the context of the safety-risk management framework of ISO 14971. It addresses identification of assets, threats and vulnerabilities; estimation and evaluation of security risks; selection and verification of risk controls; and post-market monitoring of security controls and vulnerabilities. Annexes supply process details and illustrative examples to help implementers apply the guidance in real product-development and post-market contexts.

Key topics and requirements

• Integration of information-security risk management with ISO 14971 safety-risk processes.
• Identification and classification of assets, threats and vulnerabilities specific to medical devices and their environments.
• Methods for estimating and evaluating security-related risk (impact, likelihood, and risk acceptability decisions).
• Selection, implementation and verification of controls to reduce confidentiality, integrity and availability risks.
• Lifecycle considerations: secure design, secure updates/patching, supply-chain and component management, and post-market vulnerability monitoring.
• Annexes with process templates and an illustrative example device to show how to apply the guidance.

Typical use and users

Primary users are medical device manufacturers (product security teams, software and systems engineers), regulatory and quality assurance professionals, clinical engineers, and third-party assessors. The TIR is used during product development, risk-management workshops, premarket technical documentation preparation, and post-market security monitoring and incident response planning.

Related standards

Key related documents and standards include ISO 14971 (medical device risk management), IEC 80001-1 (risk management for IT networks incorporating medical devices), IEC 81001-5-1 (health software/product lifecycle security activities), and newer or complementary AAMI/ANSI documents addressing medical-device software and cybersecurity (for example, related AAMI guidance and ANSI/AAMI SW standards). TIR57 is often used alongside these normative standards to guide implementation.

Keywords

medical device security, cybersecurity, risk management, ISO 14971, IEC 80001, information security, device vulnerability, post-market surveillance, secure design, TIR57.

FAQ

Q: What is this standard?

A: AAMI TIR57 is a Technical Information Report titled "Principles for medical device security — Risk management." It provides guidance (not normative requirements) for integrating information-security risk management into medical-device safety and lifecycle processes.

Q: What does it cover?

A: It covers identification of assets, threats and vulnerabilities; methods to estimate and evaluate security risks; selection and verification of controls; and monitoring and response for security issues throughout the device lifecycle. It includes annexes with process details and examples.

Q: Who typically uses it?

A: Device manufacturers (engineering, software security, risk, QA/RA), clinical engineering groups, testing and certification labs, and regulators or assessors who want to understand accepted guidance for medical-device security risk management.

Q: Is it current or superseded?

A: TIR57 is published as TIR57:2016 and shown as reaffirmed/issued as TIR57:2016/(R)2023; it remains a current guidance document. Note that newer normative standards and guidance (for example, ANSI/AAMI and IEC cybersecurity standards) have been published since and may provide additional or mandatory requirements in specific jurisdictions—TIR57 remains a widely used implementation guidance document.

Q: Is it part of a series?

A: It is part of AAMI's body of technical information reports and guidance addressing medical-device safety, software and cybersecurity; it is commonly used together with ISO 14971 and IEC 80001-1 and other AAMI TIRs focused on device safety and software.

Q: What are the key keywords?

A: Medical device security, cybersecurity, risk assessment, ISO 14971 integration, threat and vulnerability analysis, controls verification, post-market surveillance.