AAMI TIR97 pdf free download

AAMI TIR97 pdf free download.Principles for medical device security- Postmarket risk management for device manufacturers.
3 Postmarket considerations for security policies and security program administration
3.1 Medical device security policy
AAMI T1R57:2016 provides guidance on developing a medical device security policy in Subclause 3.2, Management responsibilities. The medical device security policy should define management’s intent to secure the organization’s medical devices throughout their lifecycle. The policy should address postmarlcet regulatory requirements and be supported by standards, procedures, work instructions, and other artifacts that address security risk management, threat event handling, incident handling, coordinated vulnerability disclosure, and security education and training. In addition, the pdicy should facilitate consistent and effective external communications, as well as allow for monitoring and improvement of the processes required by the policy.
Postmarket information in the policy should include, but not be limited to, threat intelligence, patch and vulnerability management, threat event and incident handling, security risk assessment, and third-party risk management. The policy should also include requirements for security maintenance across the entire device life-cycle.
Annex A provides a non-exhaustive list of sample statements that can be incorporated in a manufacturer’s medical device security policy.
3.2 Coordinated vulnerability disclosure
Manufacturers should develop a coordinated vulnerability disclosure process to provide security researchers and others with a means to communicate device vulnerabilities to appropriate parties, including regulatory authorities.
Subclause 6.1.2 and Annex C provide additional information about establishing a coordinated vulnerability disdosure process.
NOTE The customer commun,cation channel for handling complaints can typically be used for handling reports of poterial vulnerabilities with minor modifications and appropriate training. However, this is separate from the coordinated vulnerabibty disdosure process which requires agreements to be in place prior to discussion of vulnerabilities.
3.3 Information sharing
Information about medical device vulnerabilities and potential threats to these devices should be communicated in a consistent manner to existing customers. Depending on the nature of the vulnerability or threat, it may also be important, such as when the vulnerability or threat could apply to the broader industry, to share the information with an information sharing and analysis organization (ISAO).
To prevent threat actors from exploiting a vulnerability in a device and potentially causing harm, a process should be established to communicate details on vulnerabilities, compensating controls, and risk controls to customers. How quickly this communication will occur should be established and be dependent on risk level of the vulnerability/threat. In the case of a moderate to high-risk vulnerability, communication to the customer should be done expediently even if vendor-recommended compensating controls or remediation steps are not yet available (see Subclause 6.2.2). This communication may include posting known vulnerabilities to a publicly accessible or password protected space (i.e., company website) together with the corresponding patches, when applicable. Information provided may also be staged as it becomes available. Information shared should also include details about the risk ranking of the vulnerability (e.g., its Common Vulnerability Scoring System(CVSS) scoring) and whether it has been exploited. For higher-risk vulnerabilities, the first stage will typically suggest compensating controls (e.g., removing the medical device from the network) that can be implemented by the end user while the manufacturer develops a more comprehensive risk control measure (e.g., patch). For a high-profile vulnerability which affects the overall medical and IT industries (e.g., WannaCry), even if the manufacturer confims that the vulnerability is not exploitable on their product(s), the manufacturer should promptly communicate this infomation in order to assist HDOs in concentrating their efforts on other medical devices potentially affected. Reporting vulnerabilities to an ISAO allows critical cyber infomation to be shared with other stakeholders, which can prevent similar vulnerabilities in other medical devices from being exploited or additional cyber-attacks from occurring. This relationship is mutual, and in return for sharing infomation, manufacturers should be given information and intelligence on vulnerabilities and threats across multiple sectors.AAMI TIR97  pdf download.