By Phil Englert
The ISO 81001-5-1:2021 standard Health software, and health IT systems safety, effectiveness, and security provides guidelines for the cybersecurity of health software and health IT systems, including medical devices. Part 5-1 focuses on security activities in the product life cycle.  This standard is critical for ensuring that medical devices are secure by design, protect patient data and maintain the integrity of health care operations. Japan, Singapore and the European Union have harmonized on the standard for assessing cybersecurity controls during the regulatory review process. The FDA calls out 81001-5-1 three times in the premarket guidance sections on the Secure Product Development Framework (SPDF) to manage cybersecurity risks and implement security controls and testing requirements. When procuring medical device technology, health care providers can leverage the cybersecurity requirements of ISO 81001-5-1 to reduce risks introduced to their networks and clinical environments. Let’s review the cybersecurity considerations of ISO 81001-5-1 and then discuss how to leverage the standard during the procurement process.
The Secure Product Development Framework (SPDF) provides manufacturers with a set of processes that, when effectively implemented, can help manufacturers demonstrate a reasonable assurance of safety and effectiveness during the regulatory submission process. Manufacturers should integrate security into each phase of the development process, from design to deployment. The standard outlines the need for a secure development life cycle, which includes secure coding practices, regular security testing, and code reviews. The standard emphasizes a robust threat modeling and risk management process, including identifying, assessing and mitigating cybersecurity risks throughout the device’s life cycle. Medical device manufacturers must perform threat modeling and continuously evaluate the potential cybersecurity risks posed by their devices. Device design should include security features that protect against unauthorized access, tampering and other security threats. Security measures should include implementing strong authentication, encryption and secure communication protocols within the device. Manufacturers must establish a process for monitoring, identifying and addressing vulnerabilities in medical devices, including a commitment to providing timely security patches and updates to address newly discovered vulnerabilities. The 81001-5-1 mandates that medical devices must protect sensitive data, including patient information, from unauthorized access and breaches. The standard recommends data encryption at rest and in transit to ensure data integrity and confidentiality.
Manufacturers should develop an incident response plan to address cybersecurity breaches, including communication, containment and recovery procedures to ensure devices can be restored to a secure state following an incident. ISO 81001-5-1 emphasizes the importance of robust access controls such as multi-factor authentication (MFA) and role-based access controls (RBAC to limit device access to authorized personnel only). Manufacturers should perform regularly rigorous security testing, including penetration testing, vulnerability assessments and validation of security controls under realistic conditions to identify and address potential security flaws. Finally, the standard mandates comprehensive documentation of the device’s security features, risk management processes and incident response procedures. This documentation should be made available to health care providers to assist them in understanding and managing the cybersecurity risks associated with the device.
In summary, the eight primary product development functions required by ISO 810001-5-1 are:
- Secure Software Development Lifecycle (SDLC)
- Risk Management and Threat Modeling
- Security by Design
- Data Protection and Privacy
- Incident Response and Recovery
- User Access Control
- Security Testing and Validation
- Documentation and Transparency
When procuring medical devices, health care providers can leverage the requirements of the ISO 81001-5-1 standard to ensure that the devices they acquire meet high cybersecurity standards, thereby reducing risks to the organization, protecting patient data, keeping patients safer and building organizational resilience.
Begin by including specific ISO 81001-5-1 cybersecurity requirements in requests for proposals (RFPs) to ensure that only vendors understand and adhere to these standards and can meet stringent cybersecurity criteria are considered. One tool that may assist with this process is PDM24064 Software Acquisition Guide for Government Enterprise Consumers, released by CISA on August 1, 2024, and developed in response to the core challenges of software assurance and cybersecurity transparency in the acquisition process. Evaluate potential vendors based on their adherence to ISO 81001-5-1 and overall cybersecurity approach to incentivize vendors to prioritize cybersecurity, knowing it is a key factor in purchasing decisions. Verify that the device has been developed with security in mind and is regularly assessed for vulnerabilities by requesting detailed documentation from vendors, including evidence of compliance with ISO 81001-5-1, cybersecurity risk assessments and security testing results. Manufacturers may resist providing documentation submitted for regulatory review, but you want to understand the identified threats and how component selection and controls mitigate them. You have a right to know the residual risks and how they can be managed within your environment. When practicable, conduct independent security assessments or require the vendor to provide results from third-party security audits to gain additional assurance that the device meets your organization’s security requirements.
Ensure that service level agreements (SLAs) with vendors include provisions for ongoing cybersecurity support, including patch management, vulnerability disclosures, and incident response to help maintain the security of devices throughout their operational life in your clinical environment. Utilize the Healthcare Sector Security Council’s Model Contract language of Medtech Cybersecurity to negotiate more explicit obligations and accountability through the product life cycle. Include terms in the contract that require vendors to provide post-market security updates, including patches and ongoing risk assessments to ensure the device remains secure against emerging threats after deployment. Once devices are deployed, integrate them into your network’s cybersecurity monitoring and incident response systems. For medical devices, this may require passive monitoring technology providing real-time detection and response to any security incidents involving the device.
By leveraging the ISO 81001-5-1 standard in the procurement process, health care providers can significantly reduce the cybersecurity risks associated with medical devices, thereby protecting patient data, ensuring device functionality and maintaining overall clinical safety.
