Why IEC 81001-5-1 Is Essential

IEC 81001-5-1 occupies a critically important position in cybersecurity measures for medical device software. Published in 2021, this standard serves as the first comprehensive cybersecurity process standard specifically designed for the medical device industry and has been rapidly adopted by global regulatory authorities.

Traditionally, IEC 62304 (Medical Device Software – Software Life Cycle Processes) has served as the foundation for medical device software development. However, considering the escalating cybersecurity risks in recent years, IEC 62304 processes alone are insufficient to achieve comprehensive cybersecurity measures. Therefore, it has become essential to systematically integrate cybersecurity-specific activities into IEC 62304 processes.

Origins of IEC 81001-5-1 and Cross-Industry Connections

IEC 81001-5-1 is an adaptation of IEC 62443-4-1, a cybersecurity standard for Industrial Automation and Control Systems (IACS), tailored to the medical device sector. The IEC 62443 series has a long-standing track record in critical infrastructure such as power grids, chemical plants, and oil and gas facilities, and this knowledge has been transferred to the medical device industry.

This cross-industry knowledge transfer enables medical device developers to leverage proven security best practices from other industries. The structure of IEC 81001-5-1 adopts a process-oriented approach similar to IEC 62304, making it an accessible framework for medical device manufacturers.

Global Regulatory Trends and Adoption Status

The regulatory significance of IEC 81001-5-1 is evident from its adoption worldwide.

Status in Japan Since April 2024, compliance with IEC 81001-5-1 has been mandatory for medical device approval applications in Japan. The Ministry of Health, Labour and Welfare (MHLW) and the Pharmaceuticals and Medical Devices Agency (PMDA) position cybersecurity as a crucial element of medical device safety and strongly require adherence to this standard.

Status in the United States The U.S. FDA recognized IEC 81001-5-1 as a consensus standard in 2022 and explicitly identified it as a recommended framework in its cybersecurity guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” issued in 2023 and June 2025. The FDA expects manufacturers to integrate cybersecurity into their quality management systems in premarket submissions, and IEC 81001-5-1 functions as a concrete guideline for achieving this integration.

Status in the European Union In May 2024, the European Commission issued a decision to postpone the harmonization deadline for standards under the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) until 2028. However, this postponement is a temporary measure, and major Notified Bodies such as Team NB and the German Association of Notified Bodies (IGNB) strongly recommend that manufacturers adopt IEC 81001-5-1 as “state of the art” at an early stage. In practice, many Notified Bodies have begun considering compliance with this standard as an evaluation factor in their assessment processes.

Furthermore, the EU Cyber Resilience Act (CRA), which came into force in December 2024, imposes security risk management and lifecycle security requirements similar to those for medical devices on non-medical devices such as apps and cloud services that form part of the medical device ecosystem, promoting enhanced security awareness across the entire medical device industry.

Integration of Terminology and Establishment of Common Language

To implement cybersecurity measures effectively, it is necessary to appropriately map security-related terminology to existing terminology used in medical device development. This is because cybersecurity experts are not necessarily familiar with the terminology used in IEC 62304, medical device-specific terminology, or terminology used in risk management. By translating these terms into security-related terminology with which they are familiar, smooth inter-departmental communication and effective implementation of countermeasures become possible.

IEC 81001-5-1 plays a central role in achieving this terminology mapping and integrated security management. Manufacturers are required to establish and continuously maintain security risks related to health software as part of a comprehensive product risk management approach. IEC 81001-5-1 provides detailed guidance for implementing this process concretely.

The specific terminology correspondence is shown in the table below.

ISO 14971 Terminology	Corresponding IEC 81001-5-1 Terminology	Description
Hazard	Security Hole / Vulnerability	Weakness or defect in the system
Hazardous Situation	Threat	Potential attack or condition that could exploit a vulnerability
Harm	Cybersecurity Incident	Actual damage resulting from a security breach

This terminology mapping enables security experts to understand risks in medical devices more intuitively and develop appropriate countermeasures. Simultaneously, medical device developers can more easily integrate security experts’ recommendations into existing risk management frameworks.

Risk Analysis Process and Security Levels

The actual risk analysis flow begins with the identification of “vulnerabilities.” When a malicious attacker focuses on these vulnerabilities and plans a cybersecurity incident, a “threat” emerges. Specific threats include unauthorized access, Distributed Denial of Service (DDoS) attacks, malware infections, ransomware attacks, and even targeted attacks specific to medical devices. These threats must be documented and analyzed through systematic threat modeling.

Unlike IEC 62304’s safety class classification, IEC 81001-5-1 applies all requirements to all software. However, it enables a risk-based approach by introducing the concepts of Security Levels (SL) and Security Capabilities (SC).

Security Levels are a concept inherited from IEC 62443 and are defined in five stages from SL 0 to SL 4.

Security Level	Definition	Assumed Attacker
SL 0	No protection measures	None
SL 1	Prevention of accidental information disclosure	Casual or coincidental exposure
SL 2	Prevention of intentional attacks using basic means	Low resources, generic skills, low motivation
SL 3	Prevention of intentional attacks using sophisticated means	Moderate resources, medical device-specific skills, moderate motivation
SL 4	Prevention of intentional attacks using the most advanced means	High resources, advanced skills, high motivation

If these threats materialize, they could lead to delayed diagnosis or treatment, inappropriate treatment implementation, medical device malfunction, patient data leakage or tampering, and in the worst case, situations involving patient lives. While significant harm cases have been limited to date, as the network connectivity of medical devices increases, it is necessary to seriously acknowledge these as future risks.

IEC 81001-5-1’s 64 Requirements and Implementation

IEC 81001-5-1 does not require a complete overhaul of existing Software Development Lifecycle (SDLC) processes. Rather, it requires the integration of 64 additional cybersecurity requirements into existing frameworks such as IEC 62304 and ISO 13485.

These requirements are applied throughout the software lifecycle and include activities such as:

Requirements in Development Phase

• Establishment of security risk management processes
• Implementation of threat modeling
• Application of secure design principles
• Secure coding practices
• Documentation of security architecture

Requirements in Verification and Validation Phase

• Implementation of vulnerability assessments
• Penetration testing by independent evaluators
• Documentation of security testing
• Code reviews and static/dynamic analysis

Requirements in Post-Market Phase

• Continuous security monitoring
• Development of incident response plans
• Patch and update management
• Establishment of vulnerability disclosure processes
• Issuance of security notifications

The workload required to meet these requirements is considered comparable to IEC 62304 Class B software. Therefore, for manufacturers developing Class B or Class C software, adding to existing processes is considered relatively straightforward.

Addressing Legacy Devices

IEC 81001-5-1 applies not only to newly developed devices but also to existing devices (legacy devices) already on the market. However, regulatory authorities provide transitional frameworks, and a different assessment approach from full development lifecycle compliance is permitted for legacy devices.

Manufacturers are required to assess existing devices, implement risk mitigation measures for new requirements, and implement security controls while avoiding complete redesign of systems or software architecture. This allows manufacturers to continue market supply while progressively achieving compliance with cybersecurity requirements.

Relationship with IEC/TR 60601-4-5

While IEC 81001-5-1 defines process requirements for “how to develop securely,” IEC/TR 60601-4-5 (Medical Electrical Equipment – Part 4-5: Guidance and Interpretation – Safety-related Technical Security Specifications) defines technical requirements for “what to implement.”

IEC/TR 60601-4-5 is based on IEC 62443-4-2 and defines 123 security requirements based on seven Foundational Requirements.

Seven Foundational Requirements

1. Identification and Authentication Control
2. Use Control
3. System Integrity
4. Data Confidentiality
5. Restricted Data Flow
6. Timely Response to Events
7. Resource Availability

By combining these two standards, manufacturers can establish a comprehensive cybersecurity program. It is recommended to develop according to IEC 81001-5-1 processes while incorporating the technical requirements defined in IEC/TR 60601-4-5 into Hardware Requirements Specifications (HRS) and Software Requirements Specifications (SRS).

Importance of the Standard and Future Outlook

The importance of IEC 81001-5-1 lies in providing a common language between cybersecurity experts and medical device developers in medical device development. This standard enables effective collaboration between both parties, ultimately contributing to improved patient safety. Furthermore, this standard enables continuous assessment and management of security risks throughout the medical device lifecycle.

As medical device network connectivity and digitalization progress, compliance with IEC 81001-5-1 is no longer optional but has become a mandatory requirement for manufacturers operating in global markets. Early adoption enables manufacturers to gain advantages such as:

• Ensuring regulatory compliance and facilitating market access
• Product differentiation and competitive advantage
• Reducing liability risks associated with cybersecurity incidents
• Gaining trust from investors, customers, and partners
• Improving adaptability to future regulatory changes

Moreover, IEC 81001-5-1 does not exist in isolation; an integrated approach with existing medical device standards such as ISO 13485 (Quality Management Systems), IEC 62304 (Software Lifecycle Processes), ISO 14971 (Risk Management), and IEC 82304-1 (Health Software) is required. By integrating these standards, comprehensive product protection can be achieved from both safety and security perspectives.

Thus, IEC 81001-5-1 is positioned as an indispensable standard in modern medical device development, and its importance is expected to increase further in the future. Manufacturers are recommended to approach this standard not merely as a regulatory requirement but as an opportunity to improve product reliability and patient safety, and to engage with it proactively.