IEC 81001-5-1 §5.3.1

IEC 81001-5-1: §5.3.1 DEFENSE-IN-DEPTH ARCHITECTURE/design

Devices designed with a flat security architecture — where all components have equivalent access to all others, and where a single exploited vulnerability can cascade to full system compromise — violate the defense-in-depth principle that the security engineering community has recognized as foundational since the 1990s. Medical devices that concentrated all security in a perimeter control while providing no internal segmentation were compromised by attackers who bypassed or manipulated the perimeter — a predictable outcome that the defense-in-depth requirement directly prevents. IEC 81001-5-1:2021 clause 5.3.1 requires the security architecture to implement multiple independent layers of security controls, so that the failure of any single control does not expose the full attack surface to an adversary. For medical devices, this principle applies across the full system: network boundary controls, host-level controls, application-level controls, and data-level controls should each be designed to limit the blast radius of a breach of any single layer. FDA's premarket cybersecurity guidance explicitly references defense-in-depth as an expected architectural property in cybersecurity documentation.

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.