It took a few years to make it happen, but the AAMI TIR57 “Principles for medical device security – Risk management” standard was finally published by AAMI this summer, and the FDA formally recognized it as a foundational standard less than a month after it came out.
It really is no surprise that the FDA recognized it, since FDA staff members contributed to the standard. I too had the pleasure of participating in the working group, which included a wide range of members from the healthcare community, including device manufacturers, regulators, as well as consultants specializing in medical device security.
The group was chaired by Ken Hoyme, who began chairing the working group soon after leaving Boston Scientific’s implantable cardiac device division (what was once known as Guidant), and joining the consulting team at Adventium. Kevin Fu, arguably the first person to ever publish a “hack” of a medical device, co-chaired the group.
Although most of the guidance in TIR57 is high level, it is well structured and outlines a good process for risk management. It is largely based on application of ANSI/AAMI/ISO 14971 risk management principles to the medical device space. While this is the first AAMI document from this working group, the work is not completed. The intention of the working group is to create additional work products to assist the medical device community and regulators in addressing medical device security. The next body of work the group intends to tackle is creating a product that can assist the medical device industry in applying the upcoming FDA post market surveillance guidance. I look forward to the challenge, as I believe standards are indeed a good thing where cybersecurity is a concern. At a minimum, standards establish a level playing field.
Congratulations to the entire team for a job well done.
Mike Amadhi is the Director of Critical Systems Security at Synopsys.