IEC 62304 §9.2 problem investigation and ISO 13485 complaint evaluation activities covering applicability assessment and root cause determination.
Severity-differentiated triage timelines, periodic SBOM-based vulnerability review against NVD and vendor advisories as a proactive activity, not only reactive handling of reported issues.
Triage records with severity-tiered response windows and periodic security assessment records — purely reactive triage without scheduled proactive SBOM review does not satisfy the periodic review obligation.
Maps to
IEC 81001-5-1: §9.3 Reviewing VULNERABILITIES
IEC 62304: §9.2 Investigate the problem
Requirement text
Investigate vulnerabilities in a timely manner to determine: a) applicability to the product, b) verifiability, c) related threats.
Why this clause exists
Receiving vulnerability reports without a structured review process leads to inconsistent handling: some reports are investigated promptly, others languish in a queue, some are dismissed without analysis, and the organization loses track of which reports have been fully evaluated. A security problem that arrives as a vague operator report — 'the device behaved unexpectedly after receiving a malformed packet' — may require expert interpretation to recognize as an exploitable vulnerability; without a formal review process that assigns ownership and defines evaluation criteria, these reports are frequently under-investigated. IEC 81001-5-1:2021 clause 9.3 requires a formal vulnerability review step that follows intake, at which each reported issue is evaluated to determine whether it constitutes a security problem, its severity, and the appropriate response pathway. This review step is distinct from the deeper technical analysis in clause 9.4 — clause 9.3 is the triage and classification stage, not the root cause analysis stage, but it must be performed with sufficient rigor to route each report to the correct response pathway without undue delay.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- Vulnerability triage lacks severity-based response timelines — When vulnerabilities are reported, there is no defined triage process with severity-based response timelines. All vulnerabilities receive the same priority (or none), leading to critical vulnerabilities languishing alongside minor findings.