Cybersecurity Requirements
Overviewโ
MedDO Annex I ยง 17.2 requires software-based devices to achieve a level of IT security appropriate to their intended purpose, protecting against unauthorised access that could affect device operation or safety. These requirements apply both pre-market (in technical documentation) and post-market (through PMS and patch management).
Key Standard โ IEC 81001-5-1โ
IEC 81001-5-1:2021 (Health software security activities in the product lifecycle) is the primary harmonised standard. It provides: security risk management integrated with ISO 14971; threat modelling and vulnerability management; security testing requirements; secure communication guidance; post-market monitoring and patch management.
Pre-Market Technical Documentation Requirementsโ
Technical documentation must include: cybersecurity risk assessment integrated with the risk management file; threat modelling outputs; security controls implemented (encryption, authentication, access controls); minimum hardware/software environment description; penetration test results (for connected devices); software bill of materials (SBOM).
Post-Market Cybersecurityโ
Post-market obligations include: monitoring CVE databases for vulnerabilities in third-party components; issuing security patches through the PMS system; reporting cybersecurity incidents that constitute serious incidents to Swissmedic via eVigilance.
Official Sourcesโ
AI-assisted content for navigation only. Always verify against official Swissmedic and Fedlex sources. Not legal or regulatory advice.