Combination Product Industry News & Guidance

Sharing device-related information and wisdom
that will help you succeed

Cybersecurity guidance for any software connected to a combination product

Medical device and combination product developers looking to integrate or connect software have three new FDA standards to add to their regulatory strategy as of this month. But don’t worry about having to recreate the wheel – the new standards are more of a codification of current best practices rather than a whole new set of rules.  

Two of the new standards come jointly from the American National Standards Institute (ANSI) and the Association for the Advancement of Medical Instrumentation (AAMI): 

  • ANSI/AAMI 2700 2-1 (safe use and improvement tactics in data logging within integrated clinical environments (ICE)) 
  • ANSI/AAMI SW96:2023 (medical device software security risk management) 

ANSI/AAMI 2700 2-1 is part of the 2700 family of standards that aim to achieve safe integrated clinical environments. ANSI/AAMI SW96:2023 is based on (and intended to be used in conjunction with) AAMI’s TIR57 and TIR97, essentially putting those technical information reports (TIRs) into normative language. Since both are standards in collaboration between both ANSI and AAMI, we can assume they will likely be acceptable for use in any region/country, not just in the United States where the FDA will be asking sponsors to follow them. 

The third standard, ISO/IEC/IEEE 29119-1:2022 (Software and systems engineering – Software testing – Part 1: General concepts), which comes from the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers Standards Association (IEEE), will also be a more globally recognized standard. Its purpose is to reduce exhaustive software testing down to a more practical, risk-based approach to prioritizing and selecting what testing should be done. 

With all of the new developments and players in cyberspace, it is important to have information security measures in place. These new standards adopted by the FDA should support your ability to reduce risk, implement best practices, and ensure you are doing what is needed to convince the FDA that your connected health products are cyber-secure. 

For more on the subject, read this article by 

To talk about your regulatory pathway with our team, like SaMD expert Rita Lee, PhD, RAC, ex-FDA Reviewers Carolyn Dorgan and Max Lerman, PhD, or other software and cybersecurity subject matter experts, email [email protected] or visit to set up a call. 


Jonathan Amaya-Hodges, Director, Technical Services, Suttons Creek, Inc. – Jonathan has over 16 years of multidisciplinary experience in regulated medical products (drugs, biologics, medical devices, and combination products) at multiple global companies. He has practical experience in Development/Engineering, Quality Assurance, and Regulatory Affairs for various types of combination products with a focus on drug delivery. Additional background includes digital health (including smart packaging/connected devices and software as a medical device, or SaMD) and in vitro diagnostics, along with clinical development (bridging) and lifecycle management for combination products. Jonathan engages with the global combination product community by speaking at conferences, lecturing in courses, serving key roles within prominent industry organizations, and interfacing with regulators on a variety of topics.