October 2019 Standards Navigator Report

This content is only available to Standards Navigator subscribers.  See our Subscribe page for information on subscriptions.

SoftwareCPR Standards Navigator provides information and tools related to standards that play a significant role in health software and software intensive medical devices. In addition to information on existing standards, SoftwareCPR Standards Navigator keeps you up to date on new standards activity and gives you expert insight into future changes to existing standards.

Recent standards and regulatory activity

Medical device software

  • IEC 62304 Edition 2 did not achieve consensus during the 1st circulation as a Draft International Standard. The project team of IEC/SC 62A – ISO/TC 215/JWG 7 revised the document and this was circulated as a Committee Draft. The project team met to resolve comments received on the Committee Draft and a second Draft International Standard of IEC 62304 Ed. 2 has been circulated for vote. This vote will complete at the end of 2019.

Medical devices

  • IEC/TC 62 and ISO/TC 210 plan to establish a Joint Advisory Group on Life Cycle Aspects for Medical Devices. The primary focus of the proposed Joint Advisory Group will be on improving access to and availability of safe and effective medical devices for all citizens in support of their health. The secondary focus will be on environmental considerations, including reuse of medical devices and device parts and other circular economy aspects. The Joint Advisory Group will examine and report on gaps between the current state and an ideal future state, along with options or suggestions for closing those gaps, and the need for possible standardization activities on medical device life cycle aspects. The Joint Advisory Group is to produce a final report by 12 months after starting. The scope of the Joint Advisory Group will be all aspects of the medical device life cycle, including:
  • development, manufacturing, installation, maintenance, repair, on-site testing, refurbishment, upgrade, remanufacturing of medical devices;
  • repair with used parts, possibly after refurbishment or remanufacturing;
  • reuse of parts for new medical devices;
  • reuse of medical devices intended for single use or short-term use;
  • end-of-life aspects such as (final) decommissioning and recycling;
  • decommissioning to a next user (change of ownership of the device), including cross-border donation to other facilities or users;
  • environmental aspects;
  • security aspects, including handling and removal of stored data;


  • AAMI TIR97, Principles for medical device security – Post-market security management for device manufacturers, has been approved by the AAMI Standards Board and is now published in the AAMI store.
  • A committee draft of IEC 80001-5-1 Security Activities in the Product Lifecycle has been circulated for comment. This document specifies activities that the manufacturer of health software shall perform towards the information security of the health software product. These activities extend the processes required by IEC 62304. This new standard draws heavily on the practices in IEC 62443-4-1:2018 Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements. After it has been completed and adopted, it is expected to be used in regulatory activities.
  • A draft technical report for part 2 of ISO 11633 Information Security management for remote maintenance of medical devices and medical information systems has been issued. This part covers Implementation of an information security management system (ISMS). It stipulates the risk assessment necessary to protect remote maintenance activities, taking into consideration the special characteristics of the healthcare field such as patient safety, and jurisdictional legal requirements and privacy protections. It provides practical examples of risk analysis that support healthcare facilities and remote maintenance service providers implementing risk assessment.
  • A draft technical report, ISO 22696 Guidance for identification and authentication for connectable Personal Health Devices (PHDs) has been circulated for comment. This document is applicable to identification and authentication between the bidirectionally connected PHDs and gateway by providing possible use cases and the associated threats and vulnerabilities. Since some smart devices with mobile healthcare apps and software may connect to the healthcare service network, these devices are considered connectable PHDs in this document.
  • A draft technical report, ISO 21332 Cloud computing considerations for health information systems security and privacy has been circulated for comment. This technical report provides an overview of security and privacy requirements for Electronic Health Records (EHR) in a cloud computing service. It identifies core EHR security and privacy requirements where cloud computing services are considered possible.
  • NIST has released a related report on Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. Although not specific to health care, the report provides insights to inform organizations’ risk management processes to improve the quality of its risk assessments for IoT devices. It recognizes that risks of safety, reliability and resiliency need to be managed simultaneously with cybersecurity and privacy risks because of the effects addressing one type of risk can have on others, but focuses on cybersecurity and privacy risks. Three high level risk mitigation goals are identified:
    • Protect device security
    • Protect data security
    • Protect individuals’ privacy

Recommendations are provided for addressing cybersecurity and privacy risk mitigation challenges for IoT devices.

Drafts referenced in this post listed below for temporary review and feedback.  All comments or feedback on these drafts or on this post should be directed to seagles@softwarecpr.com








SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.