Standards Development

Scope

This document presents an informative set of common, high-level security-related capabilities and additional considerations to be used across the entire life cycle of HEALTH SOFTWARE (including MEDICAL DEVICE software) and for the information exchange between the MEDICAL DEVICE MANUFACTURERS (MDMs), health software manufacturers, HEALTH DELIVERY ORGANIZATIONS (HDOs) and/or other stakeholders.

Purpose

ISO 81001-1 and all part of ISO 81001 and IEC 81001 series documents is applicable to all parties including medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). This document provides guidance on the implementation, disclosure and communication of medical device security needs, risks and controls for both health software manufactures (including MDMs) and HDOs.

The informative set of common, high-level SECURITY CAPABILITIES presented are intended to be the baseline for a security-centric discussion between all stakeholders; including manufacturers, vendors, HDO, purchasers, etc. The level of effort is scalable across all sized ORGANIZATIONS and should be adjusted based on RISK tolerance and balanced to the g oals to be achieved. Application of this document can be used across the lifecycle of the IT -NETWORK or HEALTH SOFTWARE.

This document withdraws and replaces:

• IEC TR 80001-2-2:2012, Application of risk management for IT-networks incorporating medical devices — Part 2-2: Guidance for the communication of medical device security needs, risks and controls

• IEC TR 80001-2-8:2016, Application of risk management for IT-networks incorporating medical devices - Part 2-8: Application guidance - Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2

The main changes are as follows:

• Combines and updates the contents of IEC TR 80001 -2-2 and IEC TR 80001-2-8.

• Extends the scope to health software instead to only medical devices.

• Aligns contents and definitions to ISO 81001-1:2021 and the updated IEC 80001-1:2021.

• Provide security control mappings to several new standards, e.g., IEC 60601 -4-5, IEC 62443-4-2, ISO/IEEE 11073-40102 and the recent versions of previous standards, e.g., ISO/IEC 27002:2022 and NIST 800-53 version 5.