Skip to content
CROSSWALK

Addressing Security-Related Issues

Maps to

ISO 14971: §9.1

IEC 62304: §9.8

IEC 81001-5-1: §9.5

Requirement text

Address security-related issues and determine whether to disclose (under 4.1.7) based on impact and acceptable residual risk. Determine whether to handle via problem resolution or updated intended environment of use specifications. Review changes for impact on safety, security, and effectiveness. Inform other processes for other products and revisions. Inform third parties if problems are found in third-party source code used with supported health software. Perform periodic review of open issues (at minimum during each product release; see 4.1.6 and 4.1.8).

What changed

IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding 64 health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.

The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard #13-112 in December 2022 and references it as providing a framework for the Secure Product Development Framework (SPDF) required by Section 524B.

EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.

Atomic constraints

  • Security-related issues SHALL be addressed.
  • A determination SHALL be made whether to disclose each issue under clause 4.1.7, based on impact and residual risk.
  • A determination SHALL be made whether to address the issue through problem resolution or updated intended environment of use specifications.
  • Changes made to address issues SHALL be reviewed for impact on safety, security, and effectiveness.
  • Other processes SHALL be informed of issues applicable to other products and revisions.
  • Third parties SHALL be informed if issues are found in third-party source code used with supported health software.
  • Open issues SHALL be reviewed periodically, at minimum at each product release.
  • Proactive vulnerability identification activities must be established — including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), continuous SBOM-based vulnerability scanning, and periodic penetration testing — as distinct from the reactive handling of externally reported vulnerabilities.
  • SAST must be integrated into the development build pipeline to identify security vulnerabilities in manufacturer-developed source code before release.
  • DAST and penetration testing must be performed at defined intervals and after significant changes to the attack surface, to identify exploitable vulnerabilities not detectable through static analysis alone.
  • Continuous SBOM-based vulnerability scanning must monitor the product's SBOM against public vulnerability databases (NVD, CVE) to identify newly disclosed vulnerabilities in components already in production.
  • Records of all proactive vulnerability identification activities must be retained, including the method used, scope, date, findings, and disposition of each finding.

Common gaps

No end-to-end process for security issue remediation

major

Even when vulnerabilities are identified and analyzed, there is no end-to-end process covering remediation development, patch validation, customer notification, coordinated disclosure, and post-fix verification.

Evidence signals

  • FILE_EXISTS

    Security.*Issue.*Resolution|Vulnerability.*Remediation|PSIRT.*Closure|Security.*Change.*Review

  • CONTENT_MATCH

    Does this document describe a process for deciding how to address confirmed security vulnerabilities — including disclosure decisions, remediation or environment-of-use approaches, change impact reviews, and periodic review of open issues at product releases?

Audit defense

Our Security Issue Resolution Procedure (Doc ID: [your document ID]) documents the full resolution lifecycle for security issues in [your product]: disclosure decision records (per 4.1.7), remediation or environment-of-use determinations, change impact reviews, cross-product notifications, and periodic open issue review minutes at each release gate. Third-party notifications are tracked with acknowledgement records.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.