🪴 Quartz 4.0

IEC 81001-5-1: The Standard for Secure Health Software

2 min read

last highlighted date: 2024-04-17

Highlights

  • The EU is currently planning to harmonize IEC 81001-5-1, with a current target date of May 24th, 2024.
  • “software intended to be used specifically for managing, maintaining, or improving health of individual persons, or the delivery of care, or which has been developed for the purpose of being incorporated into a medical device
  • Many of the requirements in IEC 81001-5-1, though, are not new for manufacturers of medical devices and in some cases they are redundant: the standard takes content from numerous existing specifications such as the framework of the National Institute of Standards and Technology (NIST), guidance documents from the FDA and IEC 62443 (“Industrial communication networks - IT security for networks and systems”).
  • Security life cycle (e.g. threat analysis)
    • Note: what does it mean?
  • The title of 5.7.5 of IEC 81001-5-1 is Managing conflicts of interest between testers and developers. It is about achieving objectivity when evaluating test results
  • IEC 82304-1: “General requirements for product safety”. It primarily focuses on dangers that may be caused by the product itself (such as danger to humans caused by defective software)
  • The overlaps with the related (but not specific to medical devices) standards IEC 62443-4-1 and IEC 62304 were taken into account in the draft of IEC 81001-5-1. The relationship with both standards is explicitly explained in Annex A of IEC 81001-5-1.
  • IEC 62443 relates to “industrial communication networks – IT security for networks and systems”
  • IEC 81001-5-1 is based on the requirements of IEC 62443-4-1, but the corresponding regulations have been tailored more specifically to health software (concepts, reference to corresponding standards such as ISO 14971)
  • What is good
  • Compact, but comprehensive At around 60 pages, IEC 81001-5-1 is relatively compact.
  • Clearly delineated requirements The levels of liability are clear (e.g. “manufacturer can”, “… should”, “…. shall”). The document also lists clear requirements that mean the document can be used for an implementation strategy.
  • IEC 62304 addresses the software life cycle but does not say anything about the specific requirements in terms of IT security

Graph View

Backlinks

  • No backlinks found