Software Requirements in Medical Devices

The ISO/IEC 81001-5-1 standard defines requirements for the secure design, development, and maintenance of software used in medical devices, with a strong emphasis on testing to manage cybersecurity risks.

An increasing number of medical devices now incorporate complex software that processes sensitive data and supports clinical decision-making. As a result, the need for systematic cybersecurity risk management is growing. The ISO/IEC 81001-5-1 standard was developed to provide manufacturers of medical device software with clear requirements to ensure security throughout the entire lifecycle of a medical device.

The standard requires manufacturers to perform a cybersecurity risk assessment already during the design phase. This includes identifying potential threats such as unauthorized access, data manipulation, or disruption of device operation. A key part of this process is threat modelling, where the STRIDE methodology is commonly used, which enables a structured analysis of security aspects. Based on these analyses, manufacturers must incorporate appropriate security measures into the software architecture, including authentication mechanisms, data encryption, protection against malicious code, and access control.

In addition to technical measures, manufacturers must ensure traceability of all security-related decisions, establish processes for vulnerability management, and prepare incident response plans. Security does not end with the putting of the device on the market—the standard also requires ongoing software maintenance, regular updates, and continuous monitoring of emerging threats. An important element is the Software Bill of Materials (SBOM), which must include information about all components used, their origin, support status, and known vulnerabilities.

The standard also mandates the execution of various types of testing, including static and dynamic code analysis, penetration testing, input robustness testing (fuzzing), and verification of all libraries and components used. Tests must be planned and performed to check the software’s resilience against known and foreseeable attacks.

By meeting these requirements, manufacturers not only fulfil regulatory obligations but also significantly reduce the risk of security incidents, strengthen user trust, and ensure the long-term sustainability of the device. ISO/IEC 81001-5-1 therefore represents an important step toward a safer and more reliable digital healthcare ecosystem.

Find out more about SIQ services in the field of medical devices.