TIR-57 Cybersecurity

AAMI TIR57:2016 (Technical Information Report) provides principles for medical device security — specifically addressing the application of risk management principles (from ISO 14971) to medical device cybersecurity.

TIR-57 is not a mandatory standard in the same sense as IEC 62304 or ISO 14971, but it serves as an important reference document for the medical device cybersecurity community and is cited in FDA cybersecurity guidance and industry best practice frameworks.

The report bridges the gap between traditional safety risk management (ISO 14971) and the emerging discipline of cybersecurity for connected medical devices — a gap that has grown more significant as devices increasingly connect to hospital networks, the internet, and patient smartphones.

TIR-57's core contribution is a framework for applying security risk management principles in a way that complements and integrates with safety risk management under ISO 14971.

Key concepts include: assets (what needs protection — device functionality, data, network access), threats (potential sources of harm — malicious actors, unintentional misuse, environmental disruption), vulnerabilities (weaknesses that could be exploited), and security controls (measures that reduce vulnerability or likelihood of exploit).

The TIR-57 framework parallels ISO 14971's structure: identify threats, estimate likelihood and impact, evaluate risk, implement controls, assess residual risk. This parallelism allows manufacturers to build an integrated safety-security risk management process rather than maintaining separate siloed programs.

Security Risk Analysis: Identify device assets, enumerate threats to those assets, and evaluate the likelihood and impact of successful attacks. Threat likelihood considers both threat agent capability and device vulnerability.

Security Risk Evaluation: Determine which identified threats are acceptable and which require treatment. Unlike safety risk management, security risk evaluation must account for the evolving threat landscape.

Security Risk Control: Implement controls to reduce risk to acceptable levels. TIR-57 emphasizes defense-in-depth: multiple layered controls rather than reliance on a single security measure.

Security Risk Monitoring: Post-market monitoring for new vulnerabilities, new attack techniques, and changes in the threat environment. This feeds into postmarket cybersecurity surveillance programs.

FDA's 2023 cybersecurity guidance builds on the foundation established by TIR-57, extending its principles into specific premarket submission content requirements and binding statutory authority under Section 524B.

Key areas where TIR-57 principles inform FDA expectations: threat modeling documentation (TIR-57's security risk analysis), SBOM requirements (asset identification extended to software components), postmarket monitoring (TIR-57's security risk monitoring), and coordinated vulnerability disclosure (addressing residual risks identified post-market).

Manufacturers who have implemented a TIR-57-aligned security risk management program are well-positioned to meet FDA's premarket cybersecurity documentation requirements — the conceptual framework is directly transferable.