Cybersecurity is mandatory. EU Regulation 2017/745 (MDR) requires that medical devices be protected against unauthorized access. For manufacturers of medical devices and health software, this means they must actively address digital threats, both technically and from a regulatory perspective.
IEC 81001-5-1 provides, for the first time, a standalone standard specifically for the cybersecurity of healthcare software throughout the entire software lifecycle.
Why a separate standard for cybersecurity?
Previously, manufacturers had to rely on general standards:
- IEC 62304 for embedded software in medical devices,
- IEC 82304-1 for independently operated health software (e.g. apps).
Both standards only touch upon cybersecurity. IEC 81001-5-1 closes this gap. It describes the activities necessary to systematically integrate cybersecurity into the development, maintenance, and marketing of products.
Do you need a quick refresher on medical technology standards and processes?
Standards and processes in medical technology for newcomers - MEDtech Ingenieur GmbH
Not yet harmonized, but still "state of the art""
Although the standard is not yet harmonized (originally planned for May 2024, currently postponed to May 2028), it is already considered state of the art. It is already being used as a benchmark by authorities, notified bodies, and testing organizations, partly because it is clearer and more specific than the previous MDCG guideline 2019-16 on cybersecurity.
Precisely because cybersecurity is indirectly mandatory in the MDR („Medical Device Regulation“), for example via the topic of „risk analysis“ or „protection against unauthorized access“, IEC 81001-5-1 provides concrete process specifications and best practices with which manufacturers can meet the regulatory requirements in a structured manner.
Conclusion: Anyone developing health software should take this standard into account today.
What exactly does IEC 81001-5-1 require?
The standard describes requirements for processes and activities throughout the entire lifecycle of health software. Among other things, it requires:
- secure design (e.g. Defense-in-Depth, Secure Coding Standards),
- Threat modeling and risk management based on threats (not just hazards),
- Security requirements already in the specification phase,
- Vulnerability tests, penetration tests, software composition analysis (SCA),
- Processes for updates, patch management, and safe decommissioning.
The structure is roughly based on IEC 62304. However, there is no classification into A, B, and C. Instead, IEC 81001-5-1 relies on a risk-based selection of measures. This means that the scope of activities is not determined by the safety class, but by:
- the threat potential,
- the need for protection (e.g. protection of sensitive data, system availability),
- the deployment environment (e.g., hospital network vs. home use).
How does IEC 81001-5-1 integrate into the QMS?
IEC 81001-5-1 does not stand alone, but builds upon existing standards. It explicitly requires that all cybersecurity activities be implemented within the framework of an established quality management system. This is typically ISO 13485.
What changes will this bring?
- Cybersecurity processes (secure development, maintenance, patch strategies) must be integrated into the existing QMS.
- Responsibilities, roles, and training measures related to security topics must be documented.
- Suppliers of software components must be integrated into the security processes.
And what about risk management?
IEC 81001-5-1 requires a specific risk management process for cybersecurity that goes beyond the traditional security approach of ISO 14971. Instead of only considering threats and their impact, it focuses on:
- Threat Modeling),
- Assessment of weaknesses,
- and the appropriateness of protective measures from the perspective of potential attackers.
Anyone who wants to be on the safe side should, in addition to ISO 14971, also consider the following: AAMI TIR 57 take into account.
More information about the AAMI TIR 57 can be found here. in this blog from us: AAMI TIR57 - Cybersecurity Risk Management for Medical Devices - MEDtech Ingenieur GmbH
If you would like to learn how risk management according to IEC 62304 and ISO 14971 can be implemented in practice, then you should this article look at: Software risk management according to IEC 62304 and ISO 14971 - SW FMEA / FMECA for medical device software? - MEDtech Ingenieur GmbH
Are you developing health software or a networked medical device and wondering how to implement cybersecurity in a standards-compliant and pragmatic way? We at MEDtech Ingenieur can support you. Whether it's gap analysis, threat modeling, secure software architecture, or the implementation of IEC 81001-5-1.