IEC 62304 §9.8 problem resolution and ISO 14971 §10 post-production activities covering change impact review and corrective action processes.
Disclosure decision workflow, proactive vulnerability identification (SAST, DAST, continuous SBOM scanning, periodic pen testing), third-party notification, and open issue review at every release gate.
Issue resolution records with disclosure decisions, proactive vulnerability identification activity records, and release-gate review minutes — absence of proactive identification separate from reactive handling is a major post-market gap.
Maps to
IEC 81001-5-1: §9.5 Addressing SECURITY-related issues
ISO 14971: §10 Production and post-production activities
IEC 62304: §9.8 Test documentation contents
Requirement text
Address security-related issues and determine whether to disclose (under 4.1.7) based on impact and acceptable residual risk. Determine whether to handle via problem resolution or updated intended environment of use specifications. Review changes for impact on safety, security, and effectiveness. Inform other processes for other products and revisions. Inform third parties if problems are found in third-party source code used with supported health software. Perform periodic review of open issues (at minimum during each product release; see 4.1.6 and 4.1.8).
Why this clause exists
Addressing security-related issues is the culmination of the problem resolution process — the stage at which analysis (clause 9.4) translates into a documented remediation decision and implementation that closes the vulnerability. The range of possible responses is wide: a code fix that eliminates the vulnerability, a configuration change that removes the exploitable condition, a compensating control that reduces exploitability below the risk acceptance threshold, or a documented residual risk acceptance with operator-facing compensating guidance. IEC 81001-5-1:2021 clause 9.5 requires that the remediation path be formal and documented, that the implemented fix be tested, and that the security risk management record be updated to reflect the resolution. Organizations that fix vulnerabilities informally — no change request, no security impact assessment, no re-test, no update to the risk register — cannot demonstrate to regulators that their security problem resolution process meets the requirements of the standard. The connection between clause 9.5 and the security update policy (clause 6.1) closes the post-market loop: analysis feeds remediation, remediation feeds the update, and the update returns to verified safe operation.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- No end-to-end process for security issue remediation — Even when vulnerabilities are identified and analyzed, there is no end-to-end process covering remediation development, patch validation, customer notification, coordinated disclosure, and post-fix verification.