iec-81001-5-1
January 23, 2024

What Is IEC 81001-5-1?

Security & Compliance
Coding Standards

By

The digitalization of healthcare and health software gives users instant access to real-time information, such as how many steps a patient walks in a day, prescription medication refills, and medical diagnosis software equipped with symptoms checkers. But as health software and apps become increasingly connected, cybersecurity vulnerabilities can throw a wrench in the steady stream of healthcare data. 

Fortunately, a healthcare standard has been published that addresses security for medical technology at every phase of the software development lifecycle (SDLC). 

Read along or jump ahead to the section that interests you most. 

Table of Contents

  1. What Is IEC 81001-5-1? 
  2. What Software Does IEC 81001-5-1 Cover? 
  3. How Should Organizations Plan to Use IEC 81001-5-1? 
  4. Cybersecurity Considerations in the SDLC
  5. Recommended Coding Standards for Use with IEC 81001-5-1
  6. How Static Analysis Supports Healthcare Software Security
 

➡️ Sign Up For Your Static Analysis Free Trial

Back to top

What Is IEC 81001-5-1? 

IEC 81001-5-1 "Health software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product lifecycle" is a recent cybersecurity standard that focuses on how security needs to be taken into account throughout the software lifecycle. 

Why Is IEC 81001-5-1 Important? 

The IEC 81001-5-1 healthcare standard specifically addresses cybersecurity challenges in medical software development. 

The standard doesn't just cover medical devices, but healthcare software more broadly. While it supplements IEC 82304-1, IEC 62304 and others, it extends to include cybersecurity considerations in every phase of the SDLC. 

The EU is planning to harmonize IEC 81001-5-1 starting in May 2024, but the healthcare standard has wider implications for any organization developing medical equipment-containing software, around the world, to ensure the security of their embedded systems. 

Back to top

What Software Does IEC 81001-5-1 Cover? 

This healthcare standard covers many types of embedded systems and products — not just medical devices such as heart monitoring machines and insulin pumps, but also extends to consumer electronics like smart watches and yoga apps, nutrition software, and care planning software. 

The regulations cover: 

  • Software in medical devices
  • Software as part of hardware intended for health use 
  • Software-only products for health use. 
Back to top

How Should Organizations Plan to Use IEC 81001-5-1? 

While the IEC 81001-5-1 healthcare standard targets primarily manufacturers, it also includes other organizations like healthcare delivery organizations (HDOs) that would be in bilateral communication with manufacturers and would share responsibility for cybersecurity. 

Many manufacturers and HDOs are already familiar with standards like IEC 62443-4-1, which will give them a head start. In fact, IEC 81001-5-1 contains an appendix that gives that mapping between the healthcare standard and IEC 62443-4-1. 

However, complying with the new healthcare standard will take time and effort to implement its core requirements, such as enhanced quality management and risk management systems. It is important that organizations start planning now. 

Back to top

Cybersecurity Considerations in the SDLC

Some of the leading cybersecurity challenges for medical devices in 2023 included developing and maintaining secure code in medical devices. By complying with IEC 81001-5-1, organizations can rest assured that their code for all types of embedded systems for health software will be secure. 

As mentioned earlier, IEC 81001-5-1 adds security to all processes in the whole SDLC. The standard contains specifications for the following processes: 

  • Software development
  • Software maintenance
  • Security risk management
  • Software configuration
  • Problem resolution.

The specific activities listed in the standard are: 

  • Configuration management 
  • Design and implementation practices
  • Verification and validation
  • Review
  • Support
  • Updates. 

Implementing secure coding standards consistent with the current secure coding best practices will help to achieve the process specifications laid out in the healthcare standard. Organizations should also embrace a security-first mindset by taking a shift-left approach to security. 

IEC 81001-5-1 provides a minimum set of secure coding best practices in Appendix A.4 including: 

  • Avoid development and design patterns known to have security weaknesses.
  • Avoid banned functions.
  • Avoid code based on undefined and unspecified behavior in programming languages used.
  • Use a secure coding standard (such as MISRA C; CERT C/C++). 
  • Use automated static analysis tools such as Perforce's Helix QAC and Klocwork
📕 Related Resource: Whitepaper: A Software Leader's Guide to H.R. 7667 Compliance for Medical Devices
Back to top

Coding standards are collections of coding rules, guidelines, and best practices that help developers write safe, secure, high quality, and compliant code. Organizations developing health software may be familiar with the recommended coding standards for the test and verification of the software: 

  • MISRA® C is designed for critical software development covering safety and security.
  • CERT C/C++ is designed for secure coding.

In addition, databases like the Common Weakness Enumeration (CWE) give developers access to known issues so they can be incorporated into code inspection and testing strategies. The CWE can also assist in specific requirements given in IEC 81001-5-1. For example, there is a requirement in the healthcare standard to create an activity to identify potential vulnerabilities, which may or may not be part of the code inspection and testing process. 

Applying coding standards can be a time-consuming process when carried out manually, so it's also recommended to use automated tools (like static analysis tools) to automatically check the code for defects and vulnerabilities. 

Back to top

How Static Analysis Supports Healthcare Software Security

Organizations interested in complying with IEC 81001-5-1 can use a static analysis tool — like Helix QAC and Klocwork — to accelerate compliance and ensure security. 

Static analysis reduces developer workload and automates the process by analyzing code as it's being written, and alerts organizations to any changes needed in the code should vulnerabilities arise. 

Static analysis tools also enforce coding standards and guidelines, including CERT and MISRA. 

See for yourself how Perforce static analysis tools ensure health software is compliant and secure. Request your 7-day trial today.

Free 7-Day Trial: Perforce Static Analysis

Back to top
jill-britton

Jill Britton

Director of Compliance, Perforce

Jill Britton has over 30 years of embedded software experience across a variety of industries. She has worked as a software engineer and manager for telecommunications, automotive, defense, and education software.

Jill is now the Director of Compliance at Perforce and is a committee member of MISRA. Jill holds a BSc in Computer Science and Statistics from Newcastle University, and a MSc in Computer Science from Brunel University London.