AAMI Update: FDA Recognizes Cybersecurity and Data Security AAMI Standards for Health Technology

By AAMI

The U.S. Food and Drug Administration (FDA) has just approved two AAMI guidance documents related to cybersecurity and data management. These formal recognitions have major implications for medical device manufacturers and the state of the art of medical device cybersecurity.

AAMI is pleased to announce that the FDA has officially extended complete recognition to AAMI’s groundbreaking guidance document on medical device cybersecurity, ANSI/AAMI SW96. Per the FDA, ANSI/AAMI SW96:2023, Standard for medical device security – Security risk management for device manufacturers, is an important resource for medical device sponsors.

“The FDA encourages use of this new standard to enhance quality and support product performance,” the agency stated.

“FDA recognition of ANSI/AAMI SW96 is a major milestone,” added Matt Williams, vice president of standards at AAMI. “Device manufacturers can confidently use the standard to ensure compliance with FDA requirements and to provide better protection for health systems and their patients. The standard’s adoption definitively furthers AAMI’s mission of promoting ideal patient outcomes.”

Released earlier this year, ANSI/AAMI SW96 raised the bar for medical device cybersecurity risk management during the design and development stages. It contains clear guidance related to postmarket monitoring of device vulnerabilities, security measures like patching and software bills of materials.

It is also the first guidance document that provides specific requirements for managing security across a product’s life cycle. The standard sets out several key priorities:

1. Security risk analysis should be conducted for individual medical devices and systems to identify and document vulnerabilities and risks.

2. Security risk evaluation should focus on how devices exist within both hardware and software systems.

3. Security risk control should use more than one method of ensuring devices and systems are protected.

4. Security risk management plans for medical devices must be in place before distribution and manufacturers must ensure that any residual risk is acceptable.

But ANSI/AAMI SW96 is not the only AAMI guidance document to receive FDA recognition. FDA also recognized ANSI/AAMI 2700-2-1:2022, which provides guidance on the storage and use of data in order to promote safety and quality assurance.

The FDA’s database of recognized consensus standards can be found online. Questions? Reach out to AAMI’s Standards team at standards@aami.org.

A Review in ‘Minutes?’ How ASCA Accelerates Premarket Approval

The FDA’s Accreditation Scheme for Conformity Assessment, or (ASCA), has graduated from pilot to permanent program. ASCA is meant to accelerate the premarket review process for medical devices, and in the words of FDA’s Eric Franca, “makes our lives easier.”

AAMI Chief Learning and Development Officer Robert Burroughs recently interviewed Franca about ASCA and its transition to permanent program. Franca currently serves as ASCA team lead and policy advisor at the Center for Devices and Radiological Health at FDA. He believes that ASCA will be a boon to the many groups of stakeholders involved in the premarket approval process for medical devices.

So, what was the reason for starting ASCA? Franca indicated that the program was initially conceived to address inconsistencies in test reporting. ASCA is meant to increase confidence in test labs, streamline reporting and even reduce the amount of material needed to secure FDA approval. With the program becoming permanent as part of the 2022 MDUFA V legislation, ASCA has also enjoyed growth in participation, with the addition of over 100 accredited test labs and five recognized accreditation bodies.

According to Franca, the program has benefited regulators, manufacturers and labs alike. Providing a test case of the program’s usefulness, Franca stated that premarket submissions have “been much easier to review.” He told Burroughs of one instance where FDA asked for additional biocompatibility testing from a manufacturer, who contracted with an ASCA accredited lab. While establishing the contract took time, it took FDA staff “maybe fifteen minutes” to review the resulting report.

Franca noted that under the old model, it would have taken hours to review a much longer report that might have required the consultation of additional biocompatibility experts. However, ASCA accredited labs know exactly what the review process requires and the best way to deliver that information concisely, allowing a greater number of FDA staff to review previously obtuse premarket submissions.

Regarding how manufacturers can participate in ASCA, Franca stated that manufacturers already adhering to a given industry standard should “keep doing what you’re already doing.” Manufacturers interested in taking advantage of the ASCA program should contact ASCA accredited test labs, who will walk them through the process of developing a test plan with the lab. Participants will receive both a standard full length test report, as well as a concise, ASCA summary test report. Participating in ASCA requires device developers to turn in the ASCA summary report to the FDA, declare the use of ASCA in its cover letter, and indicate conformity to a given standard.

As an added benefit, Franca noted that ASCA is also part of the eSTAR program, which is essentially a “dynamic PDF that guides manufacturers toward what documentation they need for a 510k.” As of October 1, 2023, all 510(k) submissions, unless exempted, must be submitted as electronic submissions using eSTAR, as noted in the FDA final guidance, Electronic Submission Template for Medical Device 510(k) Submissions. The eSTAR form provides clear contextual prompts to include ASCA test results in the relevant areas.

So, what’s next for ASCA? Franca told Burroughs that the 2022 Medical Device User Fee Amendment (MDUFA V) also mandates that ASCA work with various stakeholders to expand the program. In the short term, FDA intends to host a webinar next spring to discuss what areas “it makes sense to expand into.” Although nothing is settled, Franca noted that there is potential to expand ASCA into new technical areas, such as cybersecurity and sterility.

How can manufacturers learn more about ASCA’s and if the program is a good fit for them? A good place to start is ASCA’s website, which provides documentation on program requirements, how it works and next steps for either labs or manufacturers who want to participate.

Franca also issued a call to action, urging manufacturers to take the plunge and use the program. ASCA has received around three dozen submissions using ASCA testing. “Labs are testing and it’s going well, and premarket review is going relatively well too,” he said. “We’d love to see more.”

https://1technation.com/aami-update-fda-recognizes-cybersecurity-and-data-security-aami-standards-for-health-technology/#:~:text=Per%20the%20FDA%2C%20ANSI%2FAAMI,performance%2C%E2%80%9D%20the%20agency%20stated.