AAMI Logo

FDA Recognizes AAMI SW96 Cybersecurity Guidance Document

By MedTech Intelligence Staff
AAMI Logo

In addition to addressing cybersecurity risk management during the design and development of medical devices, the standard also contains clear guidance related to postmarket monitoring of device vulnerabilities, security measures such as patching, and the use of a software bill of materials.

The FDA has officially extended complete recognition to the Association for the Advancement of Medical Instrumentation (AAMI) guidance document on medical device cybersecurity, ANSI/AAMI SW96.

Per the FDA, ANSI/AAMI SW96:2023, Standard for medical device security – Security risk management for device manufacturers, is an important resource for medical device sponsors, and the agency is encouraging use of this new standard to enhance quality and support product performance.

“FDA recognition of ANSI/AAMI SW96 is a major milestone,” said Matt Williams, vice president of standards at AAMI. “Device manufacturers can confidently use the standard to ensure compliance with FDA requirements and to provide better protection for health systems, hospitals and patients alike. The standard’s adoption definitively furthers AAMI’s mission of promoting ideal patient outcomes.”

In addition to addressing cybersecurity risk management during the design and development of medical devices, the standard also contains clear guidance related to postmarket monitoring of device vulnerabilities, security measures such as patching, and the use of a software bill of materials.

SW96 also provides specific requirements for managing cybersecurity across a product’s life cycle. The standard sets out several vital priorities for manufacturers, including:

  1. Security risk analysis should be conducted for individual medical devices and systems to identify and document vulnerabilities and risks.
  2. Security risk evaluation should focus on how devices exist within both hardware and software systems.
  3. Security risk control should use more than one method of ensuring devices and systems are protected.
  4. Security risk management plans for medical devices must be in place before distribution and manufacturers must ensure that any residual risk is acceptable. 

 

 

Related Articles

  • Cybersecurity

    A new guide from the Healthcare and Public Health Sector Coordinating Council recommends cybersecurity strategies that manufacturers and health providers can implement for legacy medical technology as a shared responsibility in the clinical environment, and provides insights for designing future…

  • Dr. Abtin Rad

    Connectivity in medical devices creates new diagnostic and treatment opportunities, yet at the same time increases the risks of cyberattacks—including their consequences for patient safety and data privacy. Now the new IEC 81001-5-1 standard provides clear technical requirements for manufacturers…

  • Roger Lam

    Timely firmware updates are only one part of the hardware-related security equation. Whether it’s a hematology analyzer, CT scanner or any other networked medical device, the ability to withstand as well as recover from a malicious attack begins with the…

  • Emily Newton, Revolutionized Magazine

    Advances in medical devices and technology have had a profound effect on those with mild, moderate and severe hearing loss. Here, we take a closer look at how these technologies have evolved and what the future may hold.

About The Author

MedTech Intelligence