AlohaX System

Contact us

IEC 81001-5-1: An important standard for medical IT security

IEC 81001

ISO IEC 81001: In order to increase the CYBERSECURITY of software applications in the medical field, including medical devices, and maintain a correct balance between the characteristics of SECURITY , EFFICIENCY and PROTECTION , a standard for IT Security has been released, IEC 81001-5-1:2021  Health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle   which focuses on the need to consider IT security within the design and development of software products, adding activities and tasks to improve the specific aspects of Security within the software life cycle processes.

Why it’s important

Why important IEC 81001? The security of medical software is of fundamental importance to the health and safety of patients. A cyberattack on a medical device, whether software-based or controlled by software, could compromise its operation, with potentially serious consequences for the patient’s health.

The manufacturer should then use this standard to help outline the development, maintenance, and post-marketing processes to ensure that the medical software applications they release have a certain level of security.

IEC 81001-5-1:2021 is derived from   IEC 62443-4-1 , an international standard that provides, among other topics, a framework for managing the cybersecurity of industrial control systems.

It provides an in-depth description of all the documents and their primary contents that must be produced during the various phases of the medical software life cycle and represents an integration of the IEC 62304 Medical device software – Software life cycle processes standard   , filling its cybersecurity gaps.

Furthermore, this regulation allows companies producing medical devices to respond to the requests of Regulation 2017/745 MDR , especially with regard to what is reported in Annex I point 17.2  in relation to IT security, which until now were mainly covered by the MDCG 2019-16 Guideline (Guidance on Cybersecurity for Medical Devices) ,

This standard , EC 81001-5-1 , is expected to be harmonised by the EU, with a target date of 24 May 2024 .

Structure of the IEC 81001-5-1 standard

The structure of this standard broadly follows that of IEC 62304. In fact, like this standard, it is divided not only into the General Requirements but also into the same  5 processes also present in IEC 62304 , which are:

  • Section 5: Software Development Process
  • Section 6: Software Maintenance Process
  • Section 7: Security Risk Management Process
  • Section 8: Software Setup Process
  • Section 9: Software Troubleshooting Process

In its introductory section,  IEC 81001-5-1 , in addition to declaring that it is aimed at the design, development and maintenance of medical applications, also emphasizes bilateral communication with other organizations (such as those providing healthcare), which have responsibility, once the application has been developed and released, for the security of medical software and the systems in which such software is incorporated. For example, it requires that operators must promptly notify manufacturers of IT security issues so that they can collaborate to find the right solutions.

What does IEC 81001-5-1 regulate?

Main topics

The main requirements set by  IEC 81001-5-1 for the safe development and maintenance of medical software concern:

  • Integrating cybersecurity into the product lifecycle: Cybersecurity must be considered a priority right from the software design and development phase. This means that security requirements must be identified and defined early in the product lifecycle ( Security by Design ).
  • Risk assessment: It is necessary to identify and assess the IT security risks associated with the software, both in terms of impact and probability. The risk analysis must be conducted based on a specific approach that takes into account the following factors:
    • The criticality of software for patient health and safety
    • The likelihood of a cyber attack
    • The impact of a cyber attack
  • Security measures: Appropriate security measures must be implemented to mitigate identified risks. Security measures may include:
    • Authentication and Authorization : Use multifactor authentication and role-based authorization to restrict software access to authorized users.
    • Encryption : Encrypt sensitive data, such as medical or personally identifiable information.
    • Access control : allow a limited number of users to access the software
    • Threat Monitoring : Use threat monitoring tools to detect and respond to cyber attacks.
  • Security testing: Software should be tested to ensure that security measures are effective. Static and dynamic security scanning tools should be used to identify and fix potential security vulnerabilities in the code.
  • Patch Management: Security patches must be installed promptly to address discovered non-conformities. Ensure that the software is designed to allow for the rapid deployment of security patches when vulnerabilities are discovered. ( Maintainability Criterion )
  • User training:  Users must be trained on the safety procedures to follow.

Basic prerequisites

Basic of IEC 81001: The Basic Prerequisites of IEC 81001-5-1 are the requirements that must be met before an organization can implement the provisions of the standard: these requirements have been introduced to ensure that the organization is in the necessary conditions for the correct implementation of secure software.

The basic prerequisites of IEC 81001-5-1 include the following elements:

  • Leadership and commitment: The organization must demonstrate its commitment to medical software security.
  • Organization: The organization must have a structure that supports medical software security.
  • Resources: The organization must have the resources necessary to implement medical software security.
  • Communication: The organization must be able to effectively communicate medical software security to all stakeholders.
  • Documentation: The organization must document its security activities applied to medical software.

Processes 

Process of IEC 81001: The processes defined in IEC 81001-5-1,   the list of which has been previously reported in this document, are the processes that an organization must implement to ensure the security of medical software.

These processes are, as previously mentioned, very similar to those of the IEC 62304 standard, but are more specialized for managing cybersecurity in the medical field. They are designed to cover the entire software lifecycle, from design to maintenance, and include the following:

  • Risk management : This process is responsible for identifying, assessing, and mitigating security risks associated with medical software and must be integrated with other organizational processes, such as development and secure maintenance. The main phases of this process include:
    • Identify security risks associated with medical software. Some of the specific cybersecurity risks associated with healthcare software include:
      • Unauthorized access : An attacker could access healthcare software and modify or delete sensitive data, or even take control of the device.
      • Intrusion : An attacker could gain access to the system and collect and misuse sensitive data, such as medical or personal identification data.
      • Denial-of-Service (DoS) : An attacker could render the system unusable, preventing healthcare workers from providing care to patients.
    • Assess the security risks associated with medical software based on criteria that take into account, for example, the severity and probability of the identified risks
    • Mitigate security risks associated with such software by defining appropriate risk control actions
    • Update your software : It is important to install security patches promptly.
    • Constantly monitor and review the security risks associated with such software as cyber threats are constantly evolving
  • Secure development : This process is responsible for the design, development, and validation of medical software. It must ensure that these aspects are implemented in compliance with security requirements. The main phases of this process include:
    • Define security requirements for medical software: which must be appropriate to the type of device and the associated security risks
    • Design medical software starting from the principle of Security by design   in order to guarantee the robustness of the solutions.
    • Develop medical software  using, for example, well-established and verified development libraries and frameworks, avoiding, where possible, writing custom code for complex security features.
    • Verify and validate medical software rigorously; for example, by ensuring that the software application’s functionality verifies that user-entered data is clean and secure before processing it. It would also be useful to conduct periodic penetration testing and vulnerability testing   to identify and correct weaknesses that could be exploited by attacks.
  • Secure Procurement : This process is responsible for purchasing secure medical software. It must ensure that each medical software product purchased complies with the organization’s security requirements. The main phases of this process include:
    • Define security requirements for medical software to be purchased.
    • Perform a risk assessment of the medical software you are purchasing.
    • Negotiate medical software purchasing contracts, ensuring they contain protocols on the necessary security requirements.
  • Secure Maintenance : This process is responsible for maintaining medical software securely . It must ensure that changes to medical software are made taking into account the product’s security aspects and that the changes do not introduce any new vulnerabilities. The main phases of this process include:
    • Define secure maintenance requirements for medical software.
    • Perform change management of medical software taking into account the security aspects of the software product
    • Perform a security assessment of the modified medical software by conducting a new risk analysis when necessary and also taking into account what is publicly available on the same topic
  • Safe Operations : This process is responsible for the safe use of medical software. It must ensure that the software is used in accordance with the manufacturer’s instructions. The main phases of this process include:
    • Communicating safety procedures to users, through the provision of a User Manual containing comprehensive information on the safety aspects of the released device and the operations that the user must perform to ensure such safety.
    • User training on safety procedures.
    • Monitoring medical software during its use to verify the product’s cybersecurity status

Quality aspects defined in IEC 81001-5-1

IEC 81001-5-1, Article 4, specifies the requirements for a Quality Management System (QMS) applicable to manufacturers of medical software applications. The standard requires manufacturers to integrate IT security processes into their Quality Management System.

The QMS requirements for medical device software manufacturers are divided into three categories:

  • General requirements:   which apply to all Quality Management Systems, regardless of the type of product or service provided and are as follows:
    • Leadership: Management shall demonstrate its commitment to the Quality Management System and to compliance with applicable requirements.
    • Planning: Management shall establish Policies and Objectives for the Quality Management System.
    • Support: Management shall provide the necessary resources for the Quality Management System including an Information Security expert.
    • Operations:  The manufacturer must implement processes and procedures for the design, production, installation, maintenance, and distribution of medical device software.
    • Performance Evaluation: The manufacturer shall monitor and measure the performance of the Quality Management System and take actions to improve that performance.
    • Continuous improvement: The manufacturer must adopt a proactive approach to the continuous improvement of the Quality Management System.
  • Specific requirements for medical software products: which focus on product safety, effectiveness and compliance and which include:
    • Risk approach: IEC 81001 The manufacturer must identify, assess, and control the risks associated with medical software products, with particular attention to those related to IT security.
    • Control of design and development processes: The manufacturer must implement processes and procedures to ensure that medical software products are designed and developed safely and effectively.
    • Control of manufacturing and installation processes: The manufacturer must implement processes and procedures to ensure that medical software products are developed and installed in compliance with applicable requirements.
    • Control of maintenance and repair processes: The manufacturer must implement processes and procedures to ensure that medical software products are maintained and repaired in accordance with applicable requirements.
    • Product information control:  The manufacturer must ensure that product information is accurate and complete.
    • Monitoring Complaints and Adverse Event Reports: The manufacturer must collect and evaluate complaints and adverse event reports related to medical software products.
  • Requirements for conformity assessment:   of medical software products with applicable requirements and including
    • Documentation: The manufacturer must document the Quality Management System and the results of the conformity assessment.
    • Verification: IEC 81001 The manufacturer must verify the compliance of medical software products with the applicable requirements.
    • Validation: The manufacturer must validate the performance of medical software products under the intended conditions of use.

How to implement the processes defined in IEC 81001-5-1

IEC 81001: Organizations can then implement the processes defined in IEC 81001-5-1 by carrying out the following activities:

  • Define a medical software security policy that supports process implementation.
  • Assign Responsibilities and Resources for Process Implementation.
  • Train staff on safety procedures.
  • Document management processes.
  • Carry out continuous monitoring and improvement interventions on processes
Read More ISO 14001
Categories:

Latest Posts

Categories

Tags

Agentic AI alohameans AMP page Animation Software apps Arm launches augmented reality devices best developer CCPA CE Marking Cloud hosting DevOps tools domains DPDP DPPA Edge AI e mail Finops Hello world host website how to create website how to develop website Hybrid Apps IEC 81001 ISO 9001 in Kampala Uganda ISO 22301 ISO 50001 ISO certificates LGPD li fi low code Monetization Tools multimodal AI oslo norway Physics Quantum Computing Rank on Google Schema Markup softwar software software company London Uganda ISO UNBS What is Edge AI? What is multimodal AI