EN IEC 81001-5-1:2022
(Main)Health software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product life cycle
Health software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product life cycle
This document defines the LIFE CYCLE requirements for development and maintenance of HEALTH SOFTWARE needed to support conformance to IEC 62443-4-1[11] – taking the specific needs for HEALTH SOFTWARE into account. The set of PROCESSES, ACTIVITIES, and TASKS described in this document establishes a common framework for secure HEALTH SOFTWARE LIFE CYCLE PROCESSES. An informal overview of activities for HEALTH SOFTWARE is shown in Figure 2. [Figure 2] [derived from IEC 62304:2006[8], Figure 2] Figure 2 - HEALTH SOFTWARE LIFE CYCLE PROCESSES The purpose is to increase the CYBERSECURITY of HEALTH SOFTWARE by establishing certain ACTIVITIES and TASKS in the HEALTH SOFTWARE LIFE CYCLE PROCESSES and also by increasing the SECURITY of SOFTWARE LIFE CYCLE PROCESSES themselves. It is important to maintain an appropriate balance of the key properties SAFETY, effectiveness and SECURITY as discussed in ISO 81001-1[17]. This document excludes specification of ACCOMPANYING DOCUMENTATION contents.
Gesundheitssoftware und Gesundheits-IT-Systeme Sicherheit, Effektivität und Security - Teil 5-1: Security - Aktivitäten im Produktlebenszyklus
Logiciels de santé et sécurité, efficacité et sûreté des systèmes TI de santé - Partie 5-1 : Sûreté - Activités du cycle de vie du produit
L'IEC 81001-5-1:2021 définit les exigences de CYCLE DE VIE relatives au développement et à la maintenance des LOGICIELS DE SANTE, nécessaires pour venir à l’appui de la conformité à l’IEC 62443-4-1 – compte tenu des besoins spécifiques pour les LOGICIELS DE SANTE. L’ensemble des PROCESSUS, ACTIVITES et TACHES décrits dans le présent document établit un cadre commun pour des PROCESSUS sécurisés du CYCLE DE VIE DES LOGICIELS DE SANTE. Ces processus ont pour objet de renforcer la CYBERSECURITE des LOGICIELS DE SANTE par l'établissement de certaines ACTIVITES et TACHES dans les PROCESSUS DU CYCLE DE VIE desdits LOGICIELS, ainsi que par le renforcement de la SURETE des PROCESSUS DU CYCLE DE VIE DES LOGICIELS proprement dit. Il est important de maintenir un équilibre approprié des propriétés clés (SECURITE, efficacité et SURETE) traitées dans l’ISO 81001-1. Le présent document exclut la spécification du contenu de la DOCUMENTATION D’ACCOMPAGNEMENT.
Programska oprema ter varnost, učinkovitost in zaščita informacijskih sistemov v zdravstvu - 5-1. del: Varnost - Dejavnosti življenjskega cikla izdelka (IEC 81001-5-1:2021)
1.1 Namen
Ta dokument opredeljuje zahteve glede ŽIVLJENJSKEGA CIKLA za razvoj in vzdrževanje PROGRAMSKE OPREME V ZDRAVSTVU, ki so potrebne za zagotavljanje skladnosti s standardom IEC 62443-4-1, ob upoštevanju specifičnih potreb PROGRAMSKE OPREME V ZDRAVSTVU. Nabor PROCESOV, DEJAVNOSTI in NALOG, opisanih v tem dokumentu, tvori skupno ogrodje za varne PROCESE ŽIVLJENJSKEGA CIKLA PROGRAMSKE OPREME V ZDRAVSTVU.
[Slika 1]
Namen je povečati informacijsko VARNOST PROGRAMSKE OPREME V ZDRAVSTVU z vzpostavitvijo določenih DEJAVNOSTI in NALOG v PROCESIH ŽIVLJENJSKEGA CIKLA PROGRAMSKE OPREME V ZDRAVSTVU ter tudi s povečanjem VARNOSTI teh PROCESOV ŽIVLJENJSKEGA CIKLA PROGRAMSKE OPREME.
Pomembno je vzdrževati ustrezno ravnovesje ključnih lastnosti VARNOSTI, učinkovitosti in ZAŠČITE, kot je obravnavano v standardu IEC 81001-1.
Ta dokument ne vključuje specifikacije vsebine SPREMNE DOKUMENTACIJE.
1.2 Področje uporabe
Ta dokument se uporablja za razvoj in vzdrževanje PROGRAMSKE OPREME V ZDRAVSTVU s strani PROIZVAJALCA, vendar priznava ključni pomen dvostranske komunikacije z organizacijami (npr. organizacijami, ki delujejo na področju zdravstvenega varstva – HDO), ki so odgovorne za VARNOST PROGRAMSKE OPREME V ZDRAVSTVU in sisteme, v katere je vključena, ko je programska oprema razvita in izdana. Skupina standardov IEC/ISO 81001-5 (za katero je to 1. del) je zato zasnovana tako, da vključuje prihodnje dele, ki obravnavajo VARNOST v fazah izvedbe, delovanja in uporabe ŽIVLJENJSKEGA CIKLA za organizacije, kot so organizacije, ki delujejo na področju zdravstvenega varstva.
Programska oprema za medicinske pripomočke je podskupina PROGRAMSKE OPREME V ZDRAVSTVU. Zato se ta dokument uporablja za:
– programsko opremo kot del medicinskega pripomočka;
– programsko opremo kot del strojne opreme, posebej namenjene za uporabo v zdravstvu;
– programsko opremo kot medicinski pripomoček (SaMD); in
– IZDELKE, ki vključujejo le programsko opremo in so namenjeni za drugo vrsto uporabe v zdravstvu.
Opomba: V tem dokumentu je področje uporabe programske opreme, ki se šteje za del DEJAVNOSTI ŽIVLJENJSKEGA CIKLA v zvezi z zaščito PROGRAMSKE OPREME V ZDRAVSTVU, večje in vključuje več programske opreme (gonilniki, platforme, operacijski sistemi) kot za VARNOST, ker bo v zvezi z ZAŠČITO poudarek na kateri koli vrsti uporabe, vključno s predvidljivim nepooblaščenim dostopom, in ne le na PREDVIDENI UPORABI.
[Slika 2]
1.3 Skladnost
Skladnost PROGRAMSKE OPREME V ZDRAVSTVU s tem dokumentom je opredeljena kot izvajanje vseh PROCESOV, DEJAVNOSTI in NALOG, navedenih v normativnih delih tega dokumenta – z izjemo dodatka F.
Skladnost PREHODNE PROGRAMSKE OPREME V ZDRAVSTVU z dodatkom F tega dokumenta je opredeljena kot zgolj izvajanje PROCESOV, DEJAVNOSTI in NALOG, navedenih v dodatku F tega dokumenta.
Skladnost se določi s pregledom oziroma z vzpostavitvijo sledljivosti zahtevanih PROCESOV, DEJAVNOSTI in NALOG.
Sistem vodenja kakovosti se lahko izvaja v skladu s standardom ISO 13485 ali drugimi enakovrednimi standardi za sisteme vodenja kakovosti.
Standard IEC 62304 določa DEJAVNOSTI na podlagi klasifikacije VARNOSTI programske opreme. Zahtevane DEJAVNOSTI so v normativnem besedilu standarda IEC 62304 navedene kot »[razred A, B, C]«, »[razred B, C]« ali »[razred C]«, kar pomeni, da se zahtevajo selektivno glede na klasifikacijo programske opreme, za katero se uporabljajo. Zahteve v tem dokumentu se posebej osredotočajo na informacijsko ZAŠČITO in zato ne ustrezajo konceptu VARNOSTNIH razredov. Zaradi skladnosti s tem dokumentom je izbor DEJAVNOSTI neodvisen od VARNOSTNIH razredov.
Izvajanje PROCESOV, DEJAVNOSTI in NALOG iz tega dokumenta zadostuje za izvajanje zahtev glede PROCESOV iz standarda IEC 62443-4-1. Za popolno skladnost s standardom IEC 62443-4-1 lahko PROIZVAJALCI izvajajo specifikacije za dodatek E.
Ta dokument zahteva vzpostavitev enega ali več PROCESOV, ki vključujejo navedene DEJAVNOSTI. Te DEJAVNOSTI je treba izvajati v okviru
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-april-2022
Programska oprema ter varnost, učinkovitost in zaščita informacijskih sistemov v
zdravstvu - 5-1. del: Varnost - Dejavnosti življenjskega cikla izdelka (IEC 81001-5-
1:2021)
Health software and health IT systems safety, effectiveness and security - Part 5-1:
Security - Activities in the product life cycle (IEC 81001-5-1:2021)
Gesundheitssoftware und Gesundheits-IT-Systeme Sicherheit, Effektivität und Security -
Teil 5-1: Security - Aktivitäten im Produktlebenszyklus (IEC 81001-5-1:2021)
Logiciels de santé et sécurité, efficacité et sûreté des systèmes TI de santé - Partie 5-1 :
Sûreté - Activités du cycle de vie du produit (IEC 81001-5-1:2021)
Ta slovenski standard je istoveten z: EN IEC 81001-5-1:2022
ICS:
11.040.01 Medicinska oprema na Medical equipment in general
splošno
35.030 Informacijska varnost IT Security
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 81001-5-1
NORME EUROPÉENNE
EUROPÄISCHE NORM February 2022
ICS 11.040.01; 35.240.80
English Version
Health software and health IT systems safety, effectiveness and
security - Part 5-1: Security - Activities in the product life cycle
(IEC 81001-5-1:2021)
Logiciels de santé et sécurité, efficacité et sûreté des Gesundheitssoftware und Gesundheits-IT-Systeme
systèmes TI de santé - Partie 5-1 : Sûreté - Activités du Sicherheit, Effektivität und Security - Teil 5-1: Security -
cycle de vie du produit Aktivitäten im Produktlebenszyklus
(IEC 81001-5-1:2021) (IEC 81001-5-1:2021)
This European Standard was approved by CENELEC on 2022-01-20. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2022 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 81001-5-1:2022 E
European foreword
The text of document 62A/1458/FDIS, future edition 1 of IEC 81001-5-1, prepared by SC 62A
"Common aspects of electrical equipment used in medical practice" of IEC/TC 62 "Electrical
equipment in medical practice" was submitted to the IEC-CENELEC parallel vote and approved by
CENELEC as EN IEC 81001-5-1:2022.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2022-10-20
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2025-01-20
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 81001-5-1:2021 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 62304:2006 NOTE Harmonized as EN 62304:2006 (not modified)
IEC 62443-3-2 NOTE Harmonized as EN IEC 62443-3-2
IEC 62443-3-3 NOTE Harmonized as EN IEC 62443-3-3
IEC 62443-4-1:2018 NOTE Harmonized as EN IEC 62443-4-1:2018 (not modified)
IEC 62443-4-2:2019 NOTE Harmonized as EN IEC 62443-4-2:2019 (not modified)
IEC 62740:2015 NOTE Harmonized as EN 62740:2015 (not modified)
IEC 82304-1:2016 NOTE Harmonized as EN 82304-1:2017 (not modified)
ISO/TS 14441 NOTE Harmonized as CEN ISO/TS 14441
ISO 14971:2019 NOTE Harmonized as EN ISO 14971:2019 (not modified) +A11:2021
ISO/IEC 27000:2018 NOTE Harmonized as EN ISO/IEC 27000:2020 (not modified)
ISO 27789 NOTE Harmonized as EN ISO 27789
ISO 27799 NOTE Harmonized as EN ISO 27799
ISO/IEC 29147 NOTE Harmonized as EN ISO/IEC 29147
ISO/IEC 30111 NOTE Harmonized as EN ISO/IEC 30111
ISO 13485:2016 NOTE Harmonized as EN ISO 13485:2016 (not modified) +A11:2021
IEC 62366-1:2015 NOTE Harmonized as EN 62366-1:2015 (not modified)
IEC/TR 63069 NOTE Harmonized as CLC IEC/TR 63069
ISO 9000:2015 NOTE Harmonized as EN ISO 9000:2015 (not modified)
IEC 81001-5-1
Edition 1.0 2021-12
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Health software and health IT systems safety, effectiveness and security –
Part 5-1: Security – Activities in the product life cycle
Logiciels de santé et sécurité, efficacité et sûreté des systèmes TI de santé –
Partie 5-1: Sûreté – Activités du cycle de vie du produit
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 11.040.01; 35.240.80 ISBN 978-2-8322-1053-7
– 2 – IEC 81001-5-1:2021 © IEC 2021
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
0.1 Structure . 7
0.2 Field of application . 8
0.3 Conformance . 8
1 Scope . 10
2 Normative references . 10
3 Terms and definitions . 11
4 General requirements . 18
4.1 Quality management . 18
4.1.1 Quality management system . 18
4.1.2 Identification of responsibilities . 18
4.1.3 Identification of applicability . 18
4.1.4 SECURITY expertise . 18
4.1.5 SOFTWARE ITEMS from third-party suppliers. 19
4.1.6 Continuous improvement . 19
4.1.7 Disclosing SECURITY-related issues . 19
4.1.8 Periodic review of SECURITY defect management . 19
4.1.9 ACCOMPANYING DOCUMENTATION review . 20
4.2 SECURITY RISK MANAGEMENT . 20
4.3 SOFTWARE ITEM classification relating to risk transfer. 20
5 Software development PROCESS . 21
5.1 Software development planning . 21
5.1.1 ACTIVITIES in the LIFE CYCLE PROCESS . 21
5.1.2 Development environment SECURITY . 21
5.1.3 Secure coding standards . 21
5.2 HEALTH SOFTWARE requirements analysis . 21
5.2.1 HEALTH SOFTWARE SECURITY requirements . 21
5.2.2 SECURITY requirements review . 22
5.2.3 SECURITY risks for REQUIRED SOFTWARE . 22
5.3 Software architectural design . 22
5.3.1 DEFENSE-IN-DEPTH ARCHITECTURE/design . 22
5.3.2 Secure design best practices . 22
5.3.3 SECURITY architectural design review . 23
5.4 Software design . 23
5.4.1 Software design best practices . 23
5.4.2 Secure design . 23
5.4.3 Secure HEALTH SOFTWARE interfaces . 23
5.4.4 Detailed design VERIFICATION for SECURITY . 24
5.5 Software unit implementation and VERIFICATION . 24
5.5.1 Secure coding standards . 24
5.5.2 SECURITY implementation review . 24
5.6 Software integration testing . 25
5.7 Software system testing . 25
5.7.1 SECURITY requirements testing . 25
5.7.2 THREAT mitigation testing . 25
IEC 81001-5-1:2021 © IEC 2021 – 3 –
5.7.3 VULNERABILITY testing . 25
5.7.4 Penetration testing . 26
5.7.5 Managing conflicts of interest between testers and developers . 26
5.8 Software release . 26
5.8.1 Resolve findings prior to release . 26
5.8.2 Release documentation . 27
5.8.3 File INTEGRITY . 27
5.8.4 Controls for private keys . 27
5.8.5 Assessing and addressing SECURITY-related issues . 27
5.8.6 ACTIVITY completion . 27
5.8.7 SECURE decommissioning guidelines for HEALTH SOFTWARE . 27
6 SOFTWARE MAINTENANCE PROCESS . 28
6.1 Establish SOFTWARE MAINTENANCE plan . 28
6.1.1 Timely delivery of SECURITY updates . 28
6.2 Problem and modification analysis . 28
6.2.1 Monitoring public incident reports . 28
6.2.2 SECURITY update VERIFICATION . 28
6.3 Modification implementation . 29
6.3.1 SUPPORTED SOFTWARE SECURITY update documentation . 29
6.3.2 MAINTAINED SOFTWARE SECURITY update delivery . 29
6.3.3 MAINTAINED SOFTWARE SECURITY update INTEGRITY .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.