IEC 62304 – Part 4: Cybersecurity opening the flood gates

In this fourth and final part of our IEC/DIS 62304 blog series (Part 1: Its a class app, Part 2: Its a different class, Part 3: How agile are you?) we look at the relationship between the forthcoming version of 62304 and the challenges of cybersecurity.

Over the last 5 years cybersecurity has become one of the biggest global topics, but due to the development lifecycle times of international standards, standards struggle to match the pace of this market sector.

There have been a number of updates in IEC/DIS 62304 that start to address the challenges of cybersecurity. In the introduction of IEC/DIS 62304 is clear that it does not duplicate well established standards for security, which on one hand is good but on the other where the problems start.

Cybersecurity Standards

There is an array of cybersecurity standards around the globe now and knowing which ones to use has become a bit of a minefield. The new Annex C does provide a very good comparison table, four entries are listed in Figure 1:

Figure 1: Part of the cybersecurity standard comparison table

AAMI TIR 57 and ISO 14971

In total the table C.1 lists 15 different security standards. Ultimately cybersecurity is a new and less well-known topic to many teams than software development. AAMI TIR 57 is a document referenced several times in IEC/DIS 62304 which is good as above all TIR 57 bases its processes on ISO 14971 which is know to all in the industry (see Figure 2).

Figure 2: Relation between TIR 57 and ISO 14971

TIR 57 Annex D akin to ISO 14971 has a good summary of security risks that teams are new to the area can use to start identifying potential threats and mitigations. Also, good reading on the link between cybersecurity and the medical device sector is ISO/PRF TR 24971 due out in July 2020, but the AAMI DIS version is already available.

Cybersecurity terminology 

Additionally, there is often confusion over cybersecurity terminology and there are no new definitions listed in the IEC/DIS 62304 glossary. Denial of service, threat and malware are listed in the body of the standard, would be helpful to add these cybersecurity terms to the terms and definitions section.

In our next medical device sector blog, we will look at the topic of post market surveillance in connection with amongst other things cybersecurity.

By Alastair Walker, Consultant

Do you want to learn more about the implementation of IEC 62304, ISO 14971, AAMI TIR57 or any other standard in the Automotive or Medical Device sector? We work remotely with you. Please contact us at for bespoke consultancy or join one of our upcoming online courses. 



We look forward to hearing from you.

    Show privacy policy