ISO 13485 post-market surveillance and complaint monitoring processes covering field issues from customers and distributors.
Active CVE and security advisory monitoring — NVD, ICS-CERT, OS vendor feeds, ISAC bulletins — with documented recurring review cadence covering SBOM components.
Vulnerability monitoring procedure and review records showing SBOM-component-level CVE assessment — absence of automated feed monitoring is a major post-market gap.
Maps to
IEC 81001-5-1: §6.2.1 Monitoring public incident reports
IEC 62443-4-1: §DM-1
Requirement text
Actively collect and review relevant sources of information about vulnerabilities regarding supported software, including health software components and third-party dependencies.
Why this clause exists
Manufacturers who wait for customers to report vulnerabilities in their deployed products are systematically late: security researchers, national CERTs, and intelligence agencies are actively monitoring public vulnerability databases and coordinated disclosure channels, and customer-discovered vulnerabilities have typically been exploitable for months before customer detection. Proactive monitoring of public vulnerability intelligence sources — the National Vulnerability Database, ICS-CERT advisories, vendor security bulletins for SBOM components — is the mechanism by which manufacturers can know about vulnerability exposures in their products before those exposures are exploited. The Heartbleed vulnerability in 2014 illustrated this dynamic at scale for the health sector: manufacturers of medical devices containing OpenSSL could not assess their exposure until they knew whether their product's OpenSSL version was affected — a question that required them to have an accurate SBOM cross-referenced against CVE records. IEC 81001-5-1:2021 clause 6.2.1 requires active monitoring of public incident reports and vulnerability sources as a formal post-market activity, not a reactive customer support function.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- No systematic monitoring for vulnerabilities in deployed components — Manufacturers do not have automated processes for monitoring vulnerability databases (NVD, CISA/ICS-CERT, vendor advisories) for newly disclosed vulnerabilities affecting their product's software components. Monitoring is reactive rather than proactive.