{"id":435973,"date":"2024-10-20T07:52:19","date_gmt":"2024-10-20T07:52:19","guid":{"rendered":"https:\/\/pdfstandards.shop\/product\/uncategorized\/aami-tir97-2019-r2023\/"},"modified":"2024-10-26T14:53:46","modified_gmt":"2024-10-26T14:53:46","slug":"aami-tir97-2019-r2023","status":"publish","type":"product","link":"https:\/\/pdfstandards.shop\/product\/publishers\/aami\/aami-tir97-2019-r2023\/","title":{"rendered":"AAMI TIR97 2019 R2023"},"content":{"rendered":"

This technical information report (TIR) provides guidance on methods to perform postmarket security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971. This TIR is intended to be used in conjunction with AAMI TIR57:2016.<\/p>\n

PDF Catalog<\/h4>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
PDF Pages<\/th>\nPDF Title<\/th>\n<\/tr>\n
1<\/td>\nAAMI TIR97:2019\/(R)2023; Principles for medical device security\u2014Postmarket risk management for device manufacturers <\/td>\n<\/tr>\n
3<\/td>\nTitle page <\/td>\n<\/tr>\n
4<\/td>\nAAMI Technical Information Report
Copyright information <\/td>\n<\/tr>\n
5<\/td>\nContents <\/td>\n<\/tr>\n
6<\/td>\nCommittee representation <\/td>\n<\/tr>\n
8<\/td>\nForeword <\/td>\n<\/tr>\n
9<\/td>\nIntroduction <\/td>\n<\/tr>\n
11<\/td>\n1 Scope
2 Terms and definitions <\/td>\n<\/tr>\n
14<\/td>\n3 Postmarket considerations for security policies and security program administration
3.1 Medical device security policy
3.2 Coordinated vulnerability disclosure
3.3 Information sharing <\/td>\n<\/tr>\n
15<\/td>\n3.4 Communication of security capabilities
4 Design features for postmarket security risk management
5 Installation and configuration <\/td>\n<\/tr>\n
16<\/td>\n5.1 Device security configuration
5.2 Security utility updating
5.3 Other considerations for security maintenance in the clinical environment
6 Postmarket management of fielded devices <\/td>\n<\/tr>\n
17<\/td>\nFigure 1\u2014Postmarket decision-making flow diagram <\/td>\n<\/tr>\n
18<\/td>\nFigure 2\u2014Cybersecurity signal handling process <\/td>\n<\/tr>\n
19<\/td>\n6.1 Observation and transmission
6.1.1 Security monitoring
6.1.1.1 Supplier monitoring
6.1.1.2 Vulnerability monitoring <\/td>\n<\/tr>\n
20<\/td>\n6.1.1.3 Third-party monitoring services
6.1.1.4 Product return and servicing
6.1.1.5 Changes in operational context
6.1.1.6 Active monitoring
6.1.2 Coordinated vulnerability disclosure <\/td>\n<\/tr>\n
21<\/td>\n6.1.3 Bug bounty program
6.1.4 Other sources of security performance information <\/td>\n<\/tr>\n
22<\/td>\n6.2 Assessment
6.2.1 Preliminary cybersecurity signal risk assessment <\/td>\n<\/tr>\n
23<\/td>\nTable 1\u2014Prioritization of cybersecurity signals
6.2.2 Product-specific threat event risk assessment <\/td>\n<\/tr>\n
24<\/td>\nFigure 3\u2014Product-specific threat event risk assessment
6.2.3 Assessing related products (variant analysis)
6.3 Action <\/td>\n<\/tr>\n
25<\/td>\nFigure 4\u2014Field change and security risk assessment revision due to a new cybersecurity signal
6.3.1 Speed of response
6.3.2 Software maintenance <\/td>\n<\/tr>\n
26<\/td>\n6.3.2.1 Patch generation and distribution <\/td>\n<\/tr>\n
27<\/td>\n6.3.2.2 Healthcare delivery organization control variations
6.3.3 External communication
Table 2\u2014Types of external communication <\/td>\n<\/tr>\n
28<\/td>\n6.3.4 Interacting with healthcare delivery organizations <\/td>\n<\/tr>\n
29<\/td>\n6.3.5 Inventory management
7 Retirement\/obsolescence
Figure 5\u2014Product life-cycle and support milestones
7.1 General considerations <\/td>\n<\/tr>\n
30<\/td>\n7.2 Secure disposal <\/td>\n<\/tr>\n
32<\/td>\nAnnex A (informative) Sample medical device security policy statements
A.1 Medical device security (top-level) <\/td>\n<\/tr>\n
33<\/td>\nA.2 Medical device security operations
A.3 Supporting security controls and implementation (by organizational function) <\/td>\n<\/tr>\n
35<\/td>\nAnnex B (informative) Security risk management for healthcare networks
B.1 Healthcare network monitoring and device identification
B.1.1 Operational context
B.1.2 Design techniques to assist HDOs with device identification <\/td>\n<\/tr>\n
36<\/td>\nTable B.1\u2014Identification techniques <\/td>\n<\/tr>\n
37<\/td>\nB.1.3 Asset identification
B.1.4 Authorization services
B.1.5 Structure of healthcare delivery organization networks
B.1.5.1 Small HDOs
B.1.5.2 Home healthcare environments
B.2 Security monitors and logging <\/td>\n<\/tr>\n
38<\/td>\nB.2.1 Passive monitoring <\/td>\n<\/tr>\n
39<\/td>\nB.2.1.1 Technical recommendations for passive security logging
B.2.2 Active monitoring <\/td>\n<\/tr>\n
40<\/td>\nB.2.3 Security logs <\/td>\n<\/tr>\n
41<\/td>\nB.3 Other Design Features to Support Postmarket Security Risk Management
B.4 Design pitfalls <\/td>\n<\/tr>\n
42<\/td>\nAnnex C (informative) Establishing a coordinated vulnerability disclosure process
C.1 Process establishment
Figure C.1\u2014A model of the interface between ISO\/IEC 29147 and ISO\/IEC 30111 <\/td>\n<\/tr>\n
43<\/td>\nC.2 Accepting vulnerability information from external sources
C.3 Process for communicating to users and reporting known vulnerabilities <\/td>\n<\/tr>\n
44<\/td>\nC.4 Importance of third-party applications, firmware, and hardware
C.5 U.S. FDA recognition of consensus standards (country-specific) <\/td>\n<\/tr>\n
45<\/td>\nAnnex D (informative) Mapping of defined terms included in Guidance for Industry and Food and Drug Administration Staff, Postmarket Management of Cybersecurity in Medical Devices
Table D.1\u2014Mapping of defined terms <\/td>\n<\/tr>\n
50<\/td>\nAnnex E (informative) Security incident handling and response
E.1 Medical device security incident handling and response
E.2 Incident response preparation <\/td>\n<\/tr>\n
51<\/td>\nE.3 Security incident categories
E.4 Security incident assessment
E.5 Security incident response execution <\/td>\n<\/tr>\n
52<\/td>\nE.6 Internal coordination activities
E.6.1 Internal stakeholders
E.6.2 Deciding how to respond <\/td>\n<\/tr>\n
54<\/td>\nE.6.3 Internal coordination of external communications
E.6.4 Patch release coordination
E.6.5 Incident response plan (impact and technical analysis) <\/td>\n<\/tr>\n
56<\/td>\nBibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

AAMI TIR97:2019 (R2023) Principles For Medical Device Security – Postmarket Risk Management For Device Manufacturers<\/b><\/p>\n\n\n\n\n
Published By<\/td>\nPublication Date<\/td>\nNumber of Pages<\/td>\n<\/tr>\n
AAMI<\/b><\/a><\/td>\n2019<\/td>\n56<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"featured_media":435978,"template":"","meta":{"rank_math_lock_modified_date":false,"ep_exclude_from_search":false},"product_cat":[2654],"product_tag":[],"class_list":{"0":"post-435973","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-aami","8":"first","9":"instock","10":"sold-individually","11":"shipping-taxable","12":"purchasable","13":"product-type-simple"},"_links":{"self":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product\/435973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/types\/product"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media\/435978"}],"wp:attachment":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media?parent=435973"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_cat?post=435973"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_tag?post=435973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}