Requirements for penetration tests according to ISO IEC 81001-5-1
The IEC 81001-5-1 defines requirements for the life cycle of the development and maintenance regarding healthcare applications and information technology within medical devices. To achieve this, the standard sets requirements for various processes in the life cycle of a medical device and is primarily divided into the following requirement categories.
- Quality management
- Software Development Process
- Software Maintenance Process
- Security Risk Management Process
- Software Configuration Management Process
- Software problem resolution Process
Within the software development process there is the requirement for software system testing, which is divided into security requirement testing, threat mitigation testing, vulnerability testing and penetration testing.
The manufacturer must commission a penetration test to identify security vulnerabilities in the software (health application or medical device). IEC 81001-5-1 requires that penetration testing attempts to compromise confidentiality, integrity and availability. This may involve bypassing several lines of defense in the design by using tools and, in particular, manual skills of the penetration tester.
The standard also emphasizes that penetration testers must be independent of the development department. Since very few medical device manufacturers have their own penetration testing department, a company specializing in this usually has to be commissioned.