Medical devices and health software: a closer look to the related ISO standards

09 Dec 2024 10:35 PM - By itSMF Staff

Reading time: ~ 3 min.

Medical devices and health software: data protection and security and the main related ISO standards

The growing availability of technological solutions that can be implemented in the health industry products and services brings new challenges regarding the need of compliance to high levels of protection and security of (sensitive) data.

To manage these needs of data security and protection related to medical devices and health softwares, we can consider in particular the IEC 81001-5-12021.

In the next lines, we're going to understand how this standard can be relevant and its main correlations with the European Regulations and other ISO standards.

Medical devices and health software: IEC 81001-5-1:2021 standard

The IEC 81001-5-1:2021 on «Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle» defines the life cycle requirements in health software development and maintenance.

This standard provides a common framework for secure health software life cycle processes, thanks to its set of processes, activities and tasks. These are the main sections of the documentation:

✅ 1 Scope

✅ 2 Normative references

✅ 3 Terms and definitions

✅ 4 General requirements

✅ 5 Software development process

✅ 6 Software maintenance process

✅ 7 Security risk management process

✅ 8 Software configuration management process
✅ 9 Software problem resolution process

✅Annex A (informative) Rationale
✅Annex B (informative) Guidance on implementation of security life cycle activities
✅Annex C (informative) Threat modelling

✅Annex D (informative) Relation to practices in IEC 62443-4-1:2018
✅ Annex E (informative) Documents specified in IEC 62443-4-1

✅Annex F (normative) Transitional health software
✅ Annex G (normative) Object identifiers

The purpose of IEC 81001-5-1:2021 standard is to increase the health software cybersecurity through activities and tasks in the health software life cycle processes as well as improving security in software life cycle processes themselves.

IEC 81001-5-1 standard and the relationship with European regulation and ISO standards

If we take a closer look at the IEC 81001-5-1 standard we can detect some natural correlations with the European regulation on Medical devices, the MDR 2017/745. The correlations are detectable both on software embedded into medical devices as well as for SaMD (Software as a Medical Device).

We can find also relevant correlations with ISO/IEC 20000-1:2018 standard on «Information technology — Service management Part 1: Service management system requirements», in this case regarding the common requirements in the software developement cycle.

If we take a glimpse in the future, we can imagine that there will be stronger correlations between the management of the software cycle and the security requirements in the development of AI solutions in medical device industry.

In this case, the correlation is between IEC 81001-5-1 and the ISO/IEC 42001:2023 standard on «Information technology — Artificial intelligence — Management system».

To better figure out the «big picture», take a look at our infographic:

If you want to keep you up-to-date with the most recent news on this topic, don't forget to follow us on our social media channels or subscribe to our newsletter: every month, you'll get valuable content from our experts.

SUBSCRIBE TO OUR NEWSLETTER