Recently, a new cybersecurity standard, IEC 81001-5-1:2021, Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle, was released. As the name implies, this standard addresses the overall software development lifecycle (SDLC) with regard to cybersecurity activities. For medical device manufacturers, this is very helpful and when combined with IEC 62304 (see our post on training) can make for a complete set of SDLC activities for managing both safety risks and cybersecurity risks.
What parts of the lifecycle are addressed in this new cybersecurity standard?
As you might expect, the standard addresses the expected stages of the SDLC that align with IEC 62304:
- Software development planning
- HEALTH SOFTWARE requirements analysis
- Software architectural design
- Software design
- Software unit implementation and VERIFICATION
- Software integration testing
- Software system testing
- Software release
- Software maintenance
While IEC 62304 has requirements for “safety risk management,” IEC 81001-5-1 has requirements for “security risk management.” With regard to the “software problem resolution process” described in IEC 62034, 81001-5-1 focuses on receiving, reviewing, and analyzing vulnerabilities. The standard has required elements, but also provides “best practices” and defensive design strategies.
Where can you obtain a copy of the standard?