The FDA has officially extended complete recognition to the Association for the Advancement of Medical Instrumentation (AAMI) guidance document on medical device cybersecurity, ANSI/AAMI SW96.
Per the FDA, ANSI/AAMI SW96:2023, Standard for medical device security – Security risk management for device manufacturers, is an important resource for medical device sponsors, and the agency is encouraging use of this new standard to enhance quality and support product performance.
“FDA recognition of ANSI/AAMI SW96 is a major milestone,” said Matt Williams, vice president of standards at AAMI. “Device manufacturers can confidently use the standard to ensure compliance with FDA requirements and to provide better protection for health systems, hospitals and patients alike. The standard’s adoption definitively furthers AAMI’s mission of promoting ideal patient outcomes.”
In addition to addressing cybersecurity risk management during the design and development of medical devices, the standard also contains clear guidance related to postmarket monitoring of device vulnerabilities, security measures such as patching, and the use of a software bill of materials.
SW96 also provides specific requirements for managing cybersecurity across a product’s life cycle. The standard sets out several vital priorities for manufacturers, including:
- Security risk analysis should be conducted for individual medical devices and systems to identify and document vulnerabilities and risks.
- Security risk evaluation should focus on how devices exist within both hardware and software systems.
- Security risk control should use more than one method of ensuring devices and systems are protected.
- Security risk management plans for medical devices must be in place before distribution and manufacturers must ensure that any residual risk is acceptable.