This document provides requirements and guidance when addressing design, production and post-production security risk management across the lifecycle within the risk management framework defined by ISO 14971. This document assists manufacturers and other users of the standard with the following: ⎯ identifying threats, vulnerabilities, and assets associated with medical devices and their components and supply chain vendors; ⎯ estimating and evaluating associated security risks; ⎯ determining appropriate security risk controls to reduce security risks; ⎯ verifying and monitoring the effectiveness of the security risk controls; ⎯ establishing an enterprise-wide process to manage security post-production interactions with users and other stakeholders that ensures security of medical devices and systems used to provide medical care; ⎯ creating design features that enable production and post-production management of security risk and effective integration with healthcare delivery organization (HDO) network security policies and technologies, or other operational contexts; ⎯ coordinating communications with HDOs for security risks; ⎯ understanding and communicating the security expectations from manufacturers to those who deploy their medical devices in a user environment; ⎯ implementing processes to manage and monitor fielded medical devices containing either (1) traditional software (including firmware), (2) programmable logic, and (3) hardware for security vulnerabilities; ⎯ implementing security risk management processes to 1) assess security risk in order to decide when action is required and 2) coordinate with safety risk management processes; ⎯ coordinating with HDOs on security risk management activities; ⎯ developing, implementing, and operationalizing a coordinated vulnerability disclosure process; ⎯ implementing processes to manage medical device security patching; and ⎯ planning for medical device retirement. This document is applicable to the entire life cycle of a medical device including design, production, and post-production phases. End of Support (EOS) and End of Guaranteed Support (EOGS) are milestones in the post-production phase of the medical device and may vary according to differing market and jurisdictional factors. This document expands on the information provided in Clause 10 “Production and post-production activities” of ISO/TR 2497 by highlighting the need for proactive monitoring to assess threats and detect vulnerabilities. It references the coordinated safety/security risk assessment approach that was presented in Clause 9 of AAMI TIR57, “Production and post-production information.”