Medical Device

Cybersecurity
and IEC 81001-5-1
What You Need to Know

White paper

Abstract
In today’s highly connected world, cyberattacks against critical systems and equipment are becoming an all-too-frequent
occurrence. Insurance industry consultancy Embroker notes that cybercrime increased 600% during the Covid-19
pandemic of 2020 and that the number of cyberattacks worldwide is expected to double by the year 2025.1

The issue of cybersecurity is a special concern for several industries, including the medical device industry. Quality
healthcare depends on secure access to advanced medical technologies that use software and communications
protocols to actively exchange vital patient information with other medical systems and devices. Cyber breaches
impacting medical devices put the safety of individual patients at risk and severely compromise the quality of healthcare
for people worldwide.

To help address the growing challenges of software-related cybersecurity concerns linked to medical devices, the
International Electrotechnical Commission (IEC) has published IEC 81001-5-1, “Health software and health IT system
safety, effectiveness and security—Part 5-1: Security—Activities in the product life cycle.” The standard is expected to
gain Harmonized Standard status under the European Union’s (EU) Medical Device Regulation (2017/745, MDR).

In this white paper, we’ll discuss the state of medical device cybersecurity and provide details on the scope and
requirements of IEC 81001-5-1. We’ll also discuss the implementation timeline for the standard, and how device
manufacturers can integrate the standard’s requirements into their product development activities.

TÜV SÜD
Contents
THE IMPORTANCE OF CYBERSECURITY PROTECTION OF MEDICAL DEVICES 3

CYBERSECURITY RISKS ASSOCIATED WITH MEDICAL DEVICES 4

THE CURRENT STATE OF CYBERSECURITY REQUIREMENTS FOR MEDICAL DEVICES 5

THE ROLE OF IEC 81001-5-1 IN STRENGTHENING CYBERSECURITY 6

HOW TÜV SÜD IS WORKING WITH THE MEDICAL DEVICE INDUSTRY TO ADDRESS CYBERSECURITY THREATS 8

CONCLUSION 9

About TÜV SÜD expert

Dr. Abtin Rad
Global Director Functional Safety, Software and Digitization, TÜV SÜD,
Munich Germany
Dr. Abtin Rad has 13 years of professional experience as a Biomedical
and Electrical Engineer focusing on Software, Cybersecurity, and Artificial
Intelligence. Dr. Abtin Rad is a Cybersecurity and Artificial Intelligence
Specialist for medical devices and medical software and a Lead Auditor
for ISO 13485, ISO 9001, MDSAP, and MDD/MDR.

2 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD

The importance of cybersecurity protection of
medical devices
The application of new and innovative
technologies has always been a key
factor in the advancements in medical
devices, equipment, and systems that
we enjoy today. But few innovations
in recent memory have done more to
transform healthcare than connected
technologies.
Connected medical devices support
the real-time transfer of important
diagnostic data to information
technology systems, where artificial
intelligence and machine learning can
be used to quickly identify individual
patient health patterns and anomalies.
In addition, connected devices also
allow for the monitoring of device
performance, giving healthcare
3 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD
professionals advanced warning of a
potential device failure or malfunction.
Over time, connected devices and the
data they generate provide essential
information on the effectiveness of
various treatment modalities, thereby
making meaningful contributions to
ongoing efforts to improve patient
outcomes.
These and other advantages of
connected medical technologies
are driving significant growth in
this sector of the medical device
industry. A recent report by
ResearchandMarkets on the state of
connected medical devices predicts
that the global medical device
connectivity market will reach $4.9
billion (USD) by 2026. A year-over-
year growth rate of nearly 25% from
the projected $1.7 billion market size
in 2021.2 This growth is also being
driven by efforts to expand access to
healthcare services in remote areas
and support the increased demand for
home healthcare solutions to serve
patients with chronic health issues.
The global medical
device connectivity
market will reach $4.9
billion (USD) by the
year 2026.
Cybersecurity risks associated with medical devices
At the same time, the expanding use of
connected technologies in the delivery
of healthcare services also introduces
a number of potentially significant
cybersecurity risks.
According to some
estimates, approximately
30% of the world’s data
volume is currently
being generated by the
healthcare industry
alone, greater than
the amounts of data
generated by the
manufacturing sector,
financial services, or
media and entertainment
entities.
To begin, health-related information
generated in connection with the care
and treatment of an average patient
is approaching 80 megabytes of data
each year,3 an estimate that doesn’t
include data generated by the rapidly
growing number of consumer-oriented
healthcare apps. According to some
estimates, approximately 30% of the
world’s data volume is currently being
generated by the healthcare industry
alone, greater than the amounts of
data generated by the manufacturing
sector, financial services, or media
and entertainment entities. And
healthcare data is expected to
experience a compound annual
growth rate (CAGR) of 36% between
now and 2025.4
4 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD
Like other data sets, health-related
data includes confidential information
that can be misused when accessed
by those with malicious intent.
Names and addresses of patients,
medical conditions and diseases,
prescribed drugs, and therapies,
and even details about insurance
coverage are just some examples of
sensitive data collected by connected
medical devices that are vulnerable to
cybersecurity threats and breaches.
Then there are a number of highly
publicized incidents in which hackers
have uncovered cybersecurity
vulnerabilities in connected medical
devices or device software that would
potentially allow them to gain remote
access and control their operation.
Examples of such incidents include:
■
In 2017, the U.S. Food and Drug
Administration (FDA) issued a recall
of an estimated 465,000 implantable
cardiac pacemakers produced
by a leading medical device
manufacturer. The recall was
issued after it was determined that
a vulnerability in the device design
would allow unauthorized third
parties to modify the pacemaker’s
programming commands.5
■
In 2018, a medical syringe pump
was found to have a critical
vulnerability that would allow an
attacker to direct the operation
of the pump when connected to a
terminal server.6
■
In late 2019, the U.S. FDA identified
11 separate vulnerabilities in a
third-party software component
that supported network
communications. The vulnerabilities
would potentially allow anyone to
take remote control of a device
using the software, change its
function, or cause information leaks
or logic flows that could interfere
with device function.7
■
In early 2020, the U.S. FDA
also notified the industry of
cybersecurity vulnerabilities in
clinical information servers widely
used in healthcare environments.
According to the FDA, the
vulnerabilities could potentially
allow an attacker to remotely take
control of a device connected to
the server, and silence patient
monitor alarms, generate false
alarms, or otherwise interfere with
their intended function.8
Unfortunately, cyberattacks against
connected medical devices are
becoming all too common. According
to a 2020 survey conducted by
Swedish software company ir.deto,
more than 82% of medical device
manufacturers experienced at least
one cyberattack on one or more of
their products in the previous 12
months.9 And, with the anticipated
growth in the deployment and use
of connected medical devices, the
number of cyberattacks is only likely
to increase.

The current state of cybersecurity requirements for

medical devices
Amidst this growing threat landscape
applicable to connected medical
devices, regulators in major
jurisdictions are increasingly aware of
the need to provide the industry with
more clear and direct regulations and
guidance on developing connected
medical devices that can help secure
them from the most likely cyber threats.
Evidence of the growing concern
among regulators is perhaps best
exemplified by the Commission of the
European Union (EU) and their evolving
regulations applicable to cybersecurity
considerations in medical devices.

Major progress was To help device manufacturers better understand how

reflected in the EU’s
MDR issued in 2017
First issued almost 30
and which took full
years ago in 1993, the
effect in 2021 for
EU’s Medical Device
medical devices, and
Directive (93/42/
which includes six
EEC) includes just
paragraphs in Annex
a single sentence
I, “General Safety
that indirectly refers
and Performance
to cybersecurity-
Requirements,” that
related concerns.
directly address
cybersecurity
considerations.
End of the transitional
to address the relevant essential MDR requirements
period for the
applicable to cybersecurity, the EU’s Medical Device
European Medical
Coordination Group (MDCG) issued in December 2019
Devices Regulation
its “Guidance on Cybersecurity for Medical Devices.”
2017/745.
Also known as MDCG 2019-16, the MDCG’s Guidance
From 26 May
runs 46 pages and provides detailed descriptions
2021, new devices
of basic cybersecurity concepts, secure design
have to meet the
and manufacturing practices, documentation and
requirements of
instructions for use, and post-market surveillance and
the MDR in order
vigilance. Recently updated, the Guidance serves as a
to be placed in the
roadmap for manufacturers seeking approval of their
European market.
connected devices for sale in the EU.

1993 2017 2019 2021

Medical Device
Medical Device Medical Device Coordination Group End of MDR
Directive
Regulation (MDCG) 2019-16 transitional period
(93/42/EEC)

5 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD

In the U.S., the FDA has published
several of its own guidances
applicable to cybersecurity issues
in medical devices. Issued in 2014,
the FDA’s guidance, “Content
of Premarket Submissions for
Management of Cybersecurity
of Medical Devices,” outlines
considerations that manufacturers
should include as part of their device
design and development phases to
be documented in their submissions
under both its premarket notification
(510(k)) and premarket approval (PMA)
programs. The FDA’s most recent
guidance related to cybersecurity,
The role of IEC 81001-5-1 in strengthening
cybersecurity
In an effort to fill this critical void,
the International Electrotechnical
Commission (IEC) has developed a
new standard focused exclusively
on cybersecurity issues impacting
software used in connected health
technologies, including medical
devices and consumer-oriented health
products and applications.
Released in December 2021 after
more than three years of discussions
and deliberations, IEC 81001-5-1
is an important supplement to IEC
62304, “Medical device software –
Software lifecycle processes,” which
establishes a common framework for
the life cycle processes related to
medical device software. Specifically,
IEC 81001-5-1 addresses security
issues related to all types of “health
software,” which is defined in the
standard as:
6 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD
“Postmarket Management of
Cybersecurity in Medical Devices,”
was issued in late 2016 and provides
a framework for medical device
cybersecurity risk management and
details on remediating and reporting
cybersecurity vulnerabilities.
These and other regulations and
guidances reflect the growing
cyber threat and the evolution of
thinking about how manufacturers
can minimize them. However,
there continues to be considerable
divergence within the industry on
the best ways to effectively address
“Software intended to
be used specifically for
managing, maintaining,
or improving the health
of individual persons,
or the delivery of
care, or which has
been developed for
the purposes of being
incorporated into a
medical device.”
As this definition clearly confirms,
the broader scope of “health
software” includes not just
manufacturers of medical devices
but also software developers whose
cybersecurity issues specific to
medical devices. While there are
a number of industry-accepted
standards available that apply to
cybersecurity issues in general,
medical device manufacturers
have lacked a life-cycle standard
that directly addresses the issue of
cybersecurity as it impacts connected
medical devices. The absence of a
dedicated standard has held back
efforts to deploy common strategies to
protect advanced connected medical
technologies from current and future
cybersecurity concerns.
products and applications are used
in a variety of health-related systems
and devices, software as a medical
device (SaMD), and software-only
products intended for health-related
uses.
Further, IEC 81001-5-1 covers health
software’s entire product life cycle,
from product development through
post-market use and monitoring.
For this reason, the standard also
recognizes the critical role of
healthcare delivery organizations in
maintaining effective cybersecurity
practices, emphasizing the importance
of bilateral communications between
device manufacturers and software
developers and those responsible for
the actual use of connected devices.
Like other process-related standards,
IEC 81001-5-1 details the activities to
be undertaken by the manufacturer
General requirements
(clause 4)
Includes the implementation and
application of a quality management
system that includes considerations
of product security, as well as the
application of a risk management
system that addresses security in
information technology devices and
software.
Security risk management
process (clause 7)
Calls for identifying potential
vulnerabilities, threats, and the
associated adverse impacts, an
estimation and evaluation of those
risks, taking steps to control those
risks, and ongoing monitoring to
assess the effectiveness of risk
controls.
IEC 81001-5-1 also includes several
informative Annexes that can help
manufacturers and developers meet
the standard’s requirements. Annex B
guides the implementation of life cycle
activities to help ensure the security
of health software. And Annex
C provides a detailed discussion
of threat modeling, a systematic
approach for analyzing the security of
a device or an application to facilitate
the identification and prioritization of
7 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD
or software developer as part of the
overall product development life cycle
to help ensure protection against
Software development process
(clause 5)
Covers conducting a health
software requirements analysis
with special attention to software-
specific security risks, software
design and integration testing,
including threat mitigation
testing, vulnerability and
penetration testing.
Software configuration
management process (clause 8)
Requires manufacturers to develop
a general product development,
maintenance, and support process
that includes configuration
management with change controls
and change history, as well as
information on external components
that are or could be susceptible to
security vulnerabilities.
potential security threats, and offers
details on several approaches that
can be used to develop an accurate
threat model.
IEC 81001-5-1 is expected to be
designated by the EU Commission
as a harmonized standard under the
MDR with an anticipated effective
date in May 2024. The standard is
also likely to be recognized by the
U.S. FCC as a “consensus standard”
cyberthreats. Specific activities are
described in clauses 4 through 9 of the
standard as follows:
Software maintenance process
(clause 6)
Addresses the establishment of a
software maintenance plan that
includes timely delivery of software
updates to protect against new
and emerging cyberthreats, and
modification implementation.
Software problem resolution
process (clause 9)
Includes establishing a process to
receive notifications about potential
security vulnerabilities, review and
analyze those vulnerabilities, and
take steps to address security-
related issues.
that can be used in support of
submissions for 510(k) and PMA
review. But, regardless of the
standard’s actual effective date,
connected device manufacturers and
developers of health software can
gain significant benefits from meeting
the requirements of ISO 81000-5-1 in
current and future product designs.
How TÜV SÜD is working with the medical device
industry to address cybersecurity threats
For decades, TÜV SÜD has been awareness among regulatory range of testing and other services
at the forefront of efforts to comply bodies regarding the importance to fully assess the security of your
with regulatory requirements and of addressing cybersecurity devices and health software against
standards applicable to medical considerations, our testing cyber threats. This includes:
devices. With the increased laboratories offer a comprehensive

Product testing Compliance assessments Customized

This category of cybersecurity testing and This category of testing and cybersecurity tests
services includes the assessment of your services includes testing This includes the
cybersecurity measures for compliance against the requirements development and execution
with the most current regulations, of the standards mentioned of product-specific testing
standards, and guidances, including earlier, vulnerability scans, and methods not addressed
IEC 81001-5-1, IEC TR 60601-4-5, IEC 62304, penetration tests. A detailed in current regulations
MDCG 2019-16, and other applicable test report is provided, along and standards, and
requirements. Systems testing can also with an optional report on assessments of provider-
include vulnerability scans of your devices compliance with EU and FDA specific security solutions.
and software to help identify areas of premarket requirements.
greatest concern.

Our expert technical professionals bring our extensive and in-depth issues, enabling them to bring
conduct these security-related tests experience in the medical device connected medical devices and health
and services in our state-of-the-art industry to help our clients solve software to market.
testing facilities. In every case, we their most challenging cybersecurity

8 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD

Conclusion
The growing cyber threat landscape
for connected medical devices
requires that device manufacturers
and software developers take a
proactive approach in designing
their products to minimize the
risk of potential cybersecurity
vulnerabilities. IEC 81001-5-1
provides a detailed roadmap that
manufacturers and developers can
adopt, thereby helping to ensure the
safety and security of their products
throughout their entire lifecycle.

TÜV SÜD is one of the world’s leading

Notified Bodies for the review and
approval of medical devices. TÜV SÜD
is also accredited by the IMDRF’s
Medical Device Single Audit Program
(MDSAP), which provides a path
for demonstrating compliance with
device professionals based in more medical technologies and other
than 30 locations worldwide, TÜV medical devices and software, visit
SÜD has the resources to support www.tuvsud.com/en-us. Or contact
your efforts. us at

[email protected]
key medical device requirements in
the U.S., Canada, Japan, Brazil, and For more information about
Australia. With more than 750 medical TÜV SÜD testing of connected

9 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD

FOOTNOTES
[1] “2021 Must-Know Cyber Attack Statistics and Trends,” published on August 11, 2021, [6] “Critical Cybersecurity Vulnerability Found in BD Alaris Plus Pump,” an article posted
and available at https://www.embroker.com/blog/cyber-attack-statistics/ (as of 15 to the website of Cybersecurity News on August 27, 2018 and available at https://
November 2021). healthitsecurity.com/news/critical-cybersecurity-vulnerability-found-in-bd-alaris-plus-
pump (as of 15 November 2021).
[2] “Global Medical Device Connectivity Market Report 2021,” press release published
on August 24, 2021, and available at https://www.businesswire.com/news/ [7] “Urgent/11 Cybersecurity Vulnerabilities in a Widely-Used Third Party Software
home/20210824005471/en/Global-Medical-Device-Connectivity-Market-Report-2021- Component May Introduce Risks During Use of Certain Medical Devices: FDA Safety
Shift-from-Payment-For-Performance-to-Payment-For-Outcomes-Models-is-Boosting- Communication,” issued by the U.S. FDA on October 1, 2019, and available at https://
the-Demand-for-Medical-Device-Connectivity-Solutions---ResearchAndMarkets.com www.fda.gov/medical-devices/safety-communications/urgent11-cybersecurity-
(as of 15 November 2021). vulnerabilities-widely-used-third-party-software-component-may-introduce (as of 15
November 2021).
[3] “Better Patient Outcomes Through Mining of Biomedical Big Data,” published in
December, 2018 and available at the website of Frontiers in ICT at https://www. [8] “Cybersecurity Vulnerabilities in Certain GE Healthcare Clinical Information Central
frontiersin.org/articles/10.3389/fict.2018.00030/full (as of 15 November 2021). Stations and Telemetry Servers: Safety Communication,” issued by the U.S. FDA
on January 23, 2020, and available at https://www.fda.gov/medical-devices/
[4] “The healthcare data explosion,” one of a series of articles on the state of healthcare safety-communications/cybersecurity-vulnerabilities-certain-ge-healthcare-clinical-
produced by RBC Capital Markets (no date), and available at https://www.rbccm.com/ information-central-stations-and (as of 15 November 2021).
en/gib/healthcare/episode/the_healthcare_data_explosion (as of 15 November 2021).
[9] “ir.deto Global Connected Industries Cybersecurity Survey: IOT Cyberattacks Are the
[5] “FDA announces first-ever recall of a medical device due to cyber risk,” an article Norm, The Security Mindset Isn’t,” findings of a survey conducted by ir.deto in 2019
posted to the website of Cisco, and available at https://blogs.cisco.com/healthcare/ and available at https://resources.irdeto.com/assets/global-connected-industries-
fda-announces-first-ever-recall-of-a-medical-device-due-to-cyber-risk (as of 15 cybersecurity-survey-1 (as of 15 November 2021).
November 2021).

COPYRIGHT NOTICE
The information contained in this document represents the current view of TÜV SÜD on the issues discussed as of the date of publication. Because TÜV SÜD must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of TÜV SÜD, and TÜV SÜD cannot guarantee the accuracy of any information presented after the date of
publication. This White Paper is for informational purposes only. TÜV SÜD makes no warranties, express, implied or statutory, as to the information in this document. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of TÜV
SÜD. TÜV SÜD may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided
in any written license agreement from TÜV SÜD, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
ANY REPRODUCTION, ADAPTATION OR TRANSLATION OF THIS DOCUMENT WITHOUT PRIOR WRITTEN PERMISSION IS PROHIBITED, EXCEPT AS ALLOWED UNDER THE COPYRIGHT
LAWS. © TÜV SÜD Group – 2022 – All rights reserved - TÜV SÜD is a registered trademark of TÜV SÜD Group

DISCLAIMER
All reasonable measures have been taken to ensure the quality, reliability, and accuracy of the information in the content. However, TÜV SÜD is not responsible for the third-party content
contained in this publication. TÜV SÜD makes no warranties or representations, expressed or implied, as to the accuracy or completeness of information contained in this publication.
This publication is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). Accordingly, the information in this
publication is not intended to constitute consulting or professional advice or services. If you are seeking advice on any matters relating to information in this publication, you should –
where appropriate – contact us directly with your specific query or seek advice from qualified professional people. The information contained in this publication may not be copied, quoted,
or referred to in any other publication or materials without the prior written consent of TÜV SÜD. All rights reserved
© 2022 TÜV SÜD.

10 Cybersecurity, medical devices, and IEC 81001-5-1 | TÜV SÜD

Find out more about TÜV SÜD’s services for
Cybersecurity in Medical Devices
www.tuvsud.com/en-us/medical-device-cybersecurity
[email protected]

Add value. Inspire trust.

TÜV SÜD is a trusted partner of choice for safety, security, and sustainability solutions. It specializes in testing,
certification, auditing, and advisory services. Since 1866, the company has remained committed to its purpose of
enabling progress by protecting people, the environment, and assets from technology-related risks. Through more
than 25,000 employees across over 1,000 locations, it adds value to customers and partners by enabling market access
and managing risks. By anticipating technological developments and facilitating change, TÜV SÜD inspires trust in a
physical and digital world to create a safer and more sustainable future.

GLOBAL HEADQUARTERS TÜV SÜD AMERICA HEADQUARTERS

TÜV SÜD AG TÜV SÜD America Inc.
2022 © TÜV SÜD AG | MKG/MHS/37.0/en/US

Westendstr. 199 401 Edgewater Place, Suite 500

80686 Munich Germany Wakefield, MA 01880
+49 89 5791 0 United States of America
www.tuvsud.com/en +1 978 573 2500
www.tuvsud.com/en-us