The IEC 81001-5-1 defines requirements for the life cycle of the development and maintenance regarding healthcare applications and information technology within medical devices. To achieve this, the standard sets requirements for various processes in the life cycle of a medical device and is primarily divided into the following requirement categories.

• Quality management
• Software Development Process
• Software Maintenance Process
• Security Risk Management Process
• Software Configuration Management Process
• Software problem resolution Process

Within the software development process there is the requirement for software system testing, which is divided into security requirement testing, threat mitigation testing, vulnerability testing and penetration testing.

The manufacturer must commission a penetration test to identify security vulnerabilities in the software (health application or medical device). IEC 81001-5-1 requires that penetration testing attempts to compromise confidentiality, integrity and availability. This may involve bypassing several lines of defense in the design by using tools and, in particular, manual skills of the penetration tester.

The standard also emphasizes that penetration testers must be independent of the development department. Since very few medical device manufacturers have their own penetration testing department, a company specializing in this usually has to be commissioned.

In Annex I, for “devices that incorporate electronic programmable systems and software that are devices in themselves”, the MDR requires verification and validation under point 17.2 that the product or software was developed according to the state of the art – from the perspective of the IT security:

For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.

REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 5 April 2017

In the Medical Device Coordination Group Document “MDCG 2019-16 Guidance on Cybersecurity for medical devices” there is now the requirement of penetration testing as a specification of the previous verification and validation requirement:

MDR Annex I Section 17.2 and IVDR Annex I Section 16.2 require for devices that incorporate software or for software that are devices in themselves, that the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of the development life cycle, risk management, including information security, verification and validation. The primary means of security verification and validation is testing. Methods can include security feature testing, fuzz testing, vulnerability scanning and penetration testing. Additional security testing can be one by using tools for secure code analysis and tools that scan for open source code and libraries used in the product, to identify components with known issues.

Medical Device Coordination Group Document, MDCG 2019-16

Participating in the Microsoft 365 Certification App Compliance Program for Microsoft Teams applications, Sharepoint Apps/Add-ins, Office Add-ins and WebApps requires performing a penetration test. In the Initial Document Submission a company needs to submit supporting documentation and evidence. Besides other topics, a Penetration Testing Report is required. A penetration testing report completed within the last 12 months. This report must include the pentest of the live environment that supports the deployment of the app along with any additional environment that supports the operation of the app. If segmentation controls are in place, these must also be validated.

The pentest requirements by Microsoft are:

• Every 12 months application and infrastructure pentesting must take place annually.
• These Tests are conducted by a reputable independent company.
• Remediation of identified critical and high-risk vulnerabilities must be completed within one month after the pentest report.
• The full external attack surface (IP Addresses, URLs, API Endpoints, etc.) must be included within the scope of penetration testing and must be documented within the penetration testing report.
• Web application penetration testing must include all typical vulnerability classes; for example, the most current OWASP Top 10 or SANS Top 25 CWE.
• Retesting of identified vulnerabilities by the penetration testing company is not required — remediation and self-review is sufficient however, adequate evidence to demonstrate sufficient remediation must be provided during the assessment. Retesting of identified vulnerabilities are nevertheless best practice in information security.
• Penetration testing reports will be reviewed to ensure there are no vulnerabilities that meet the following automatic failure criteria:
  • Unsupported operating system
  • Default, enumerable, or guessable administrative accounts.
  • SQL injection risks
  • XSS
  • Directory traversal (file path) vulnerabilities.
  • Typical HTTP vulnerabilities, e.g., Header response splitting, Request smuggling, and Desync attacks
  • Source code disclosure (including LFI)
  • Any critical or high score as defined by the CVSS patch management guidelines.
  • Any significant technical vulnerability which can be readily exploited to compromise a large amount of EUII or OUI