CybersecurityConnected & Cyber-Physical Devices Quality SystemTIR97

AAMI TIR97

AAMI Technical Information Report on post-market security risk management for medical device manufacturers, the operational companion to TIR57.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

AAMI TIR97 is a Technical Information Report providing guidance on post-market security risk management activities for medical device manufacturers. Where AAMI TIR57 covers security risk management across the full lifecycle (and aligns with ISO 14971), TIR97 zooms in on the post-market phase: vulnerability monitoring, intake and triage, exploitability and patient-safety impact assessment, coordinated disclosure, patch development, customer notification, and the metrics for an effective post-market security program.

What the regulation says

FDA's 2023 Cybersecurity in Medical Devices guidance recognizes AAMI TIR57 and TIR97 as the consensus standards for security risk management, TIR97 specifically addressing the 'plan to monitor, identify, and address post-market vulnerabilities' required under Section 524B(b)(2)(A).

What this means in practice

TIR97 is the operational playbook for the post-market obligations introduced by FDA Section 524B and the FDA 2023 Cybersecurity in Medical Devices guidance. It defines roles, intake workflows, severity classification (linking exploitability and patient harm), and the artifacts (advisories, VEX statements, customer letters) that prove a vulnerability monitoring plan is real. Many manufacturers structure their post-market security SOPs as a TIR97 implementation.

Common pitfalls

•Implementing TIR57 without TIR97, the lifecycle standard sets requirements that TIR97 makes operationally measurable.
•Skipping the patient-safety impact assessment step and defaulting to CVSS, TIR97 expects an explicit linkage between exploitability and harm.
•Treating customer notification as a marketing artifact rather than a TIR97-required communication with defined content and timing.

Primary references

3 sources

Link health: 1 verified 2 bot-blocked· last checked 2026-06-20

AAMI·1FDA·1HSCC·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: TIR97
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

AAMI Technical Information Report on post-market security risk management for medical device manufacturers, the operational companion to TIR57.

·TIR97 is the operational playbook for the post-market obligations introduced by FDA Section 524B and the FDA 2023 Cybersecurity in Medical Devices guidance.
·Many manufacturers structure their post-market security SOPs as a TIR97 implementation.

Remember this

Watch out: Implementing TIR57 without TIR97, the lifecycle standard sets requirements that TIR97 makes operationally measurable.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.