IEC 81001-5-1:2021 - Important clarifications in December 2025
1. Role of health software in the ecosystem
The ISH emphasizes that health software is always part of a networked, socio-technical health IT system. The reference to ISO 81001-1 sharpens the embedding in the overall architecture and underlines the system perspective.
2. Security activities & documentation
Manufacturers must provide clearly defined accompanying documents in order to transfer risks to operators in a transparent manner.
Important aspects:
- Disclosure of security issues
- Review of relevant security guidelines
- Transparent transfer processes for risk management
3. Software categories: Maintained / Supported / Required
The ISH explains the three categories from Chapter 4.3 and their legal and technical significance:
- Categories are nested but not hierarchical for risk profiles.
- The following applies to all software items: Identify risks, communicate updates, perform integrity checks (varies depending on category).
- Manufacturers may downgrade categories over the product's lifetime (e.g., Maintained → Supported), but must document the risk transfer.
4. No fourth category: Transitional Software
The ISH clarifies: Transitional software is not a separate type, but a state of the overall product (Annex F).
5. Post-market security: Focus on information flows
Incident monitoring focuses on checking the information, not necessarily the source. This increases efficiency in the post-market security process.
Conclusion
With Interpretation Sheet 1, IEC 81001-5-1 provides greater clarity for manufacturers and operators. The more precise requirements help to better manage risks in the life cycle of health software and to strengthen cybersecurity in healthcare in the long term.
