[Translate to English:]

The IEC 81001-5-1: Standard for the development and maintenance of cyber-secure health software

In December 2021, the International Electrotechnical Commission (IEC) published the IEC 81001-5-1 standard "Health software and health IT systems Safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle". It represents the standard for the cyber-secure development of healthcare software and its protection against unauthorized tampering throughout its lifecycle. We explain who is affected by the standard, what exactly it regulates and how it relates to other regulations.

Who is affected by the standard?

The primary goal of IEC 81001-5-1 is to increase the cybersecurity of healthcare software and thus patient and data safety. To this end, it defines measures and tasks that relate to the various stages of the entire life cycle of healthcare software – starting with cybersecure development, through marketing, to operation.

The standard is thus primarily aimed at manufacturers and developers of healthcare software. However, it also includes the operators (healthcare delivery organizations or HDOs), for example by requiring that they receive sufficient information from the manufacturer on the secure operation of the products. And it holds the HDOs themselves accountable, for example by requiring them to inform the manufacturer promptly in the event of cybersecurity problems.

What does IEC 81001-5-1 mean by healthcare software?

In Chapter 3 (Terms and definitions), paragraph 15, the standard defines healthcare software as "software that is specifically intended for the management, maintenance, or improvement of the health of individuals or for care, or that is designed to be integrated into a medical device."

Specifically, the term "healthcare software" thus includes software as part of a medical device and as part of healthcare hardware, as well as standalone software (software as a medical device, SaMD). However, software for health related use that is not medical software in the narrower sense is also covered by the standard – for example, fitness apps, apps for nutritional counseling, or software for care planning.


What does IEC 81001-5-1 regulate?

As a process-related standard, IEC 81001-5-1 describes precisely which measures are to be implemented during the development and throughout the lifecycle of healthcare software in order to protect the software or the containing product from cyber threats. For example, it provides specific guidance on processes for software development and maintenance, security risk management, and software configuration management. It also requires manufacturers to ensure that security-relevant software from third-party suppliers that has been developed specifically for the product in question also meets the requirements for the development of secure software.

The specifications are concretized in chapters 4 to 9:

  • Chapter 4 – requirements for a quality and risk management system in relation to cybersecurity
  • Chapter 5 – cybersecure development considering all phases from software development plan to requirements engineering to vulnerability and penetration testing
  • Chapter 6 – Creation and implementation of a software maintenance plan (secure, rapid deployment of security updates), monitoring of incident reports
  • Chapter 7 – Risk management, especially identification and assessment of threats and vulnerabilities, risk control measures and monitoring of their effectiveness
  • Chapter 8 – Configuration management for product development, maintenance and support
  • Chapter 9 – Troubleshooting of reported threats and vulnerabilities, steps to investigate and resolve the corresponding security issues

In the appendices (A to G), the security standard also provides a great deal of helpful information and guidelines for implementing the requirements. These include, for example, best practices for secure coding, guidelines for analyzing the special requirements of healthcare software, an approach for identifying and prioritizing potential security threats, and a guide for implementing activities along the lifecycle.


The standard in the context of other standards and regulations

The standard closes a gap that previously existed between various relevant standards and regulations. On the one hand, IEC 81001-5-1 transfers the requirements of ISO 14971, which are primarily related to safety, to the area of security. On the other hand, it is based on the security requirements of IEC 62443 for industrial communication networks and shows how these can be fulfilled in the development and maintenance of health software. In addition, it supplements the safety-related requirements of IEC 62304 for the development and maintenance of medical product software with security-specific specifications.

The IEC 81001-5-1 and the MDR

The Medical Device Regulation (MDR) of 2017 formulates numerous explicit requirements for the cybersecurity of medical devices in Annex I and requires, among other things, measures for IT security in accordance with the "generally recognized state of the art". In line with the focus on the entire life cycle of a product, both pre-market and post-market aspects are considered. However, the requirements are only outlined in very general terms.

With the concrete specifications, guidelines and best practices of IEC 81001-5-1, the implementation of the security lifecycle requirements of the MDR is now possible. Harmonization of the standard under the Medical Devices Regulation is planned for May 2024.


Sources of supply

IEC 81001-5-1:2021 can be purchased from Beuth-Verlag or VDE-Verlag.


Develop cybersecure software according to IEC 81001-5-1

NewTec supports manufacturers and developers in the cyber-secure development of embedded software or the development of standalone healthcare software. As security specialists, we also offer consulting and training on security lifecycle management.

Questions? Contact us: Contact

Or call us at +49 7302 9611-0