In the context of medical device design, cybersecurity plays a central role. After addressing the regulatory aspects related to the Medical Device Regulation (MDR) 2017/745 and exploring hardware and software solutions to meet cybersecurity requirements, this new article focuses on the concept of Security-by-Design as defined in the IEC 81001-5-1:2021 standard.
The standard defines the activities required to ensure the security of health software throughout its lifecycle processes. Health software refers to software intended to manage, maintain, or improve the health of individuals, or software developed to be incorporated into a medical device.
In this context, security becomes an objective to be addressed from the earliest stages of software development, according to the Security-by-Design approach.
The standard also recalls several concepts introduced in IEC 62304, which defines software lifecycle processes for medical devices. While IEC 62304 focuses on safety, IEC 81001-5-1 introduces specific requirements related to security, such as security requirements and activities dedicated to securing software architecture.
One of the key elements of the standard is the defense-in-depth approach, which involves implementing multiple layers of protection within the system architecture to protect critical system components and reduce the impact of potential attacks.
The standard also identifies several secure design best practices, including:
- documentation of trust boundaries between different areas of the system
- application of the principle of least privilege
- use of secure and certified software
- reduction of attack surfaces through risk analysis and mitigation
Another fundamental element is the threat modeling process, used to identify potential threats and define mitigation strategies. Among the most widely used methods mentioned in the standard is the STRIDE model, which analyzes different types of threats such as spoofing, tampering, and denial of service.
The standard also mentions additional threat analysis methods, including DREAD, CVSS, Attack-Defense Tree, OCTAVE, and VAST. Want to learn more about cybersecurity in medical software and how the IEC 81001-5-1 standard applies the Security-by-Design approach?
Download the full article by Gaia Di Federico or explore more technical insights in the MedTech Publications section.