Protecting IT systems: AAMI Report offers the first dedicated guide
The medical device industry in the USA is a step ahead of its European counterpart when it comes to IT security. In June 2016 the Association for the Advancement of Medical Instrumentation (AAMI) published a Technical Information Report (TIR) on the subject of risk management for connected medical devices (AAMI TIR57/Ed. 1, Principles for medical device security—Risk management), which is listed by the Food and Drug Administration (FDA) as a recognized standard. In Europe, requirements concerning IT security must still be drawn from the general requirements for medical devices; the AAMI document is the first guideline to be dedicated to IT security within the scope of risk management.
From blood pressure monitors and intravenous pumps to cardiac pacemakers, ever-increasing numbers of today’s medical devices make use of wireless connectivity by being incorporated into IT networks and communicating with smartphones and tablets via broadband and Bluetooth. Although this new connectivity offers many benefits for patients as well as healthcare users and managers, it also involves previously unfamiliar risks such as cyberattacks from hackers, data theft, and data manipulation. Minimizing the vulnerability of medical devices — these “small cogs in big wheels” – is a complex and, often, new challenge for the manufacturers of these products.
The measures that must be taken by manufacturers to protect their devices and the data associated with them are set forth in the general requirements for the security of medical devices and in further harmonized and national laws such as the German Data Protection Act. In Europe, the Medical Device Directive (MDD) contains some sections ultimately referring to IT protection; these are legal requirements and must be correctly implemented by manufacturers. Assistance is already provided by a variety of standards governing the development of medical devices as well as IT and wireless systems. However, the AAIM Report is the first document to specifically address the issues of cybersecurity that concern many manufacturers, and serves as a risk management guide.
Medical device manufacturers seeking to design and market connected products must now ensure they correctly interpret the general requirements of the standards in terms of IT security, and integrate viable IT security measures into their risk management procedures to keep pace with the continuous evolution of the connected world. TÜV SÜD and its IT security specialists provide support in these endeavors, supplying an overview of all relevant requirements as well as training, analyses, and testing for devices and Systems.