Understanding the

IEC TR 60601-4-5:
Medical Electrical Equipment
Part 4-5: Guidance and Interpretation
Safety-Related Technical Security Specifications

White paper

Abstract
There are many reasons why all digital healthcare and medical devices must be thoroughly tested and secured. For some
time now, more and more cybersecurity incidents have been occurring within the healthcare sector, leading to more
legislation and regulations across the industry.

The IEC TR 60601-4-5 provides detailed technical information for security features in medical devices used in medical IT
networks, such as medical electrical equipment, medical electrical systems, and medical device software. This Technical
Report released in 2021 addresses IT security for medical products in the scope that they are integrated into IT networks.
This also affects software as a medical device.

TÜV SÜD
TÜV SÜD | Weathering the Storm 1
Contents
ABOUT THE EXPERTS................................................................................................. 2

INTRODUCTION.......................................................................................................... 3

UNDERSTANDING PREVIOUS STANDARDS ............................................................ 4

INTRODUCING THE IEC TR 60601-4-5..................................................................... 4

WHAT’S IN THE IEC TR 60601-4-5?.......................................................................... 5

IMPORTANCE OF COMPLIANCE WITH THE IEC TR 60601-4-5................................. 6

ABOUT TÜV SÜD....................................................................................................... 7

About the Expert

Dr.-Ing. Abtin Rad
Global Director of Functional Safety, Software, and Digitization for Medical & Health
Services at TÜV SÜD

Dr.-Ing. Abtin Rad is a member of the standardization committee for medical device IT security
(60601-4-5). Abtin has co-authored the guidance document for cybersecurity provided by
the interest group of notified bodies. He has 14 years of professional experience in the
development of medical device software.
Besides his work at TÜV SÜD, Abtin is an associate professor at the University of Applied
Sciences in Hamburg for medical device software, medical imaging, and digital filter design
topics.

2 Understanding the IEC TR 60601-4-5: Medical Electrical Equipment | TÜV SÜD America
Introduction

There are many reasons why all digital Until now, guidance and
healthcare and medical devices must standardization have primarily
be thoroughly tested and secured. concentrated on risk management,
For some time now, more and more leaving medical device manufacturers
cybersecurity incidents have been without a cybersecurity standard that
occurring within the healthcare offers a solution.
sector, leading to more legislation and
regulations across the industry.
In the following pages, you’ll learn
There are many potential safety and what is the IEC TR 60601-4-5, key
security issues to consider when it aspects of this standard, and the
comes to medical devices. Perhaps the importance of compliance.
most obvious is because unauthorized
access to medical devices could result
in severe injury – or even death, so
medical device manufacturers must
ensure the technology used in these
devices are as secure as can be.

However, a less apparent reason

is the need for absolute patient
confidentiality, where failure to do
so would lead to a significant breach
of privacy. After all, cybersecurity
incidents are terrifying – but within
the healthcare realm, they are
unacceptable.

| Weathering
TÜV SÜD America | Understanding
the Storm the IEC TR 60601-4-5: Medical Electrical Equipment 3
 Understanding previous standards
PREVIOUS STANDARDS FOCUSED ON CYBER RISK MANAGEMENT IN GENERAL
Previous standards include AAMI TIR 57 were focused on cyber risk management in general, leaving manufacturers with a lack
of technical standards that help to mitigate risks within the medical device community. Another previous standard, UL-2900-2-1,
applicable to US medical device manufacturers, calls for the secure design and security testing of medical devices.

The IEC 62443 family became the typical standard for cybersecurity across a variety of industries. However, they still didn’t quite
meet all the requirements for the healthcare sector. Since this came to light, both the ISO and IEC have been working to develop
new standards that address these gaps in regulations.
And so, IEC TR 60601-4-5 was introduced to the market, which enhanced the IEC 62443-4 standard, which acts as an essential part
of the IEC TR 60601-4-5 implementation process.

Introducing the IEC TR 60601-4-5

Typically, the IEC 60601 family of
standards is only applicable to
electrical and electro-mechanical
medical devices. However, there is one
exception to this rule: IEC TR 60601-4-5.
Released in 2021, this new Technical
Report addresses IT security for
medical products in the scope that they
are integrated into IT networks. This
will also affect software as a medical
device.
The standard aims to define testable
security properties for medical devices,
as there are no official test report forms
in existence today.
One will likely be published in the
next few years, and test labs will offer
relevant testing services.

This technical report solidifies the idea The IEC TR 60601-4-5 is also intended to be harmonized
that security issues must be a shared
burden between both the manufacturer with the Medical Device Reporting (MDR) and help
and the operator of the medical device.
This document’s objective is to extend manufacturers meet the general safety and performance
the implementation of Basic Safety
and Essential Performance by defining requirements (GSPR) 17.2, 17.4, and 23.4 MDR.
the minimum of necessary clinical
functionality and availability of the
medical device.

4 Understanding the IEC TR 60601-4-5: Medical ElectricalWeathering

Equipment the
| TÜV
Storm
SÜD| TÜV
America
SÜD
What’s in the IEC TR 60601-4-5?

TYPES OF SECURITY LEVES

IEC TR 60601-4-5 provides details on the technical content of the standardization work towards the IEC
TR 60601-4-5 for security features in medical devices used in medical IT networks, such as medical
electrical equipment, medical electrical systems, and medical device software.

Within IEC TR 60601-4-5, there are three types of security levels.

SL-T: The Target Security Level that one must achieve for the network, including the networked medical
devices, achieves the set protection goal. SL-T will be determined by the operator or integrator, as only
they have the power to decide which network environment a medical device will be used in. IEC 60601-
4-5 recommends separately determining the SL-Ts for various environments, including the following
considerations:

§ The value of the product

§ The amount of damage done if the basic security or significant performance features are no
longer available
§ The presence of patient data
§ The user profile
§ A home network versus a hospital network
§ The number of affected medical products currently on the market
§ The working surface, such as the number of devices or available ports, interfaces, etc.

SL-C: The Capability Security Level can be achieved, for both the medical product and network, if one
takes measures to improve IT security.

SL-C is determined by the manufacturer as long as the operator utilizes the device according to
the manufacturer’s specifications. This will depend on which measures the manufacturer has both
implemented and reviewed.

SL-A: The Achieved Security Level which is the level one achieves.

As for which security level the operator chooses for SL-A, that will depend on whether or not the
operator has correctly configured the network. And if the operator has implemented measures to
increase IT security outside of the device.

For each security level, there are five proposed levels from SL 0 – where nothing is implemented – to SL
4, the highest level of achievement. Higher security levels must be achieved for higher-risk devices.

While IEC TR 60601-4-5 does not apply to in-vitro diagnostic devices (IVD), it applies to medical devices
with external data interfaces used to capture confidential data. It does not apply to other software used
on a medical IT network that does not meet the definition of medical device software.

TÜV SÜD |America|

Weathering
Understanding
the Storm the IEC TR 60601-4-5: Medical Electrical Equipment 5
Importance of compliance with the IEC TR 60601-4-5

ENSURING CYBERSECURITY SAFETY

Medical devices are some of the most highly regulated products found in the market today. A single functional failure
could be a matter of life or death in those using them, including cybersecurity risks.

Failure to ensure medical device cybersecurity can lead to massive reputational damage for medical device
manufacturers and the healthcare organizations that use this precarious technology. By implementing and adhering to IEC
TR 60601-4-5 in addition to other relevant standards, companies can ensure their products are safe and well-accepted in
the market. Failure to comply can have serious consequences.

IEC TR 60601-4-5 offers manufacturers the opportunity to prepare for full implementation in the years ahead. TÜV
SÜD’s leading experts provide a full suite of testing and certification services in preparation for this new technical
considerations.

6 Understanding the IEC TR 60601-4-5: Medical ElectricalWeathering

Equipment the
| TÜV SÜD| TÜV
Storm America
SÜD
About TÜV SÜD

TÜV SÜD is a world leader in testing medical products and an expert in testing the cybersecurity of connected medical products.
Medical devices, digital products, software, cloud infrastructure, or mobile apps for the medical industry, we have tested it all.

Since 1999, we have certified more than 1,000 functional safety experts globally and issued more than 2,000 certificates for
functionally safety-tested products. Our experts preside on standardization committees for functional safety and inform you about
emerging standards and regulations to stay ahead of the competition.
In the field of medical devices, TÜV SÜD is the largest Notified Body in the world, having over 700 dedicated medical health and
services experts situated in major markets worldwide. In addition, we have a dedicated Regulatory Foreign Affairs & Clinical
Department for monitoring and understanding updates in medical health services and devices regulations worldwide.

| Weathering
TÜV SÜD America | Understanding
the Storm IEC TR 60601-4-5: Medical Electrical Equipment 7
Learn about the services we provide for the
healthcare and medical device industry
www.tuvsud.com/en-us/industries/healthcare-and-medical-devices
info-us@tuvsud.com

Add value. Inspire trust.

TÜV SÜD is a trusted partner of choice for safety, security and sustainability solutions. It specializes in testing,
certification, auditing and advisory services. Since 1866, the company has remained committed to its purpose of
enabling progress by protecting people, the environment and assets from technology-related risks. Through more than
25,000 employees across over 1,000 locations, it adds value to customers and partners by enabling market access and
managing risks. By anticipating technological developments and facilitating change, TÜV SÜD inspires trust in a
physical and digital world to create a safer and more sustainable future.

2021 © TÜV SÜD AMERICA MKG_MHS_7.0_en_US

TÜV SÜD AMERICA

HEADQUARTERS
401 Edgewater Place, Suite 500
Wakefield, MA 01880
United States of America
+1 978 573 2500

8 8 Weathering
Understanding the IEC TR 60601-4-5: Medical Electrical the|Storm
Equipment | TÜVAmerica
TÜV SÜD SÜD
COPYRIGHT NOTICE
The information contained in this document represents the current view of TÜV SÜD on the issues discussed as of the date of publication. Because TÜV SÜD must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of TÜV SÜD, and TÜV SÜD cannot guarantee the accuracy of any information presented after the date of publication.
This guideline is for informational purposes only. TÜV SÜD makes no warranties, express, implied or statutory, as to the information in this document. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of TÜV SÜD.
TÜV SÜD may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in
any written license agreement from TÜV SÜD, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ANY
REPRODUCTION, ADAPTATION OR TRANSLATION OF THIS DOCUMENT WITHOUT PRIOR WRITTEN PERMISSION IS PROHIBITED, EXCEPT AS ALLOWED UNDER THE COPYRIGHT
LAWS. © TÜV SÜD Group – 2021 – All rights reserved - TÜV SÜD is a registered trademark of TÜV SÜD Group.

DISCLAIMER
All reasonable measures have been taken to ensure the quality, reliability, and accuracy of the information in the content. However, TÜV SÜD is not responsible for the third-party content
contained in this guideline. TÜV SÜD makes no warranties or representations, expressed or implied, as to the accuracy or completeness of information contained in this guideline. This
guideline is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). Accordingly, the information in this guideline
is not intended to constitute consulting or professional advice or services. If you are seeking advice on any matters relating to information in this guideline, you should – where appropriate
– contact us directly with your specific query or seek advice from qualified professional people. TÜV SÜD ensures that the provision of its services meets independence, impartiality and
objective requirements. The information contained in this guideline may not be copied, quoted, or referred to in any other publication or materials without the prior written consent of
TÜV SÜD. All rights reserved © 2021 TÜV SÜD.

TÜV SÜD | Weathering the Storm 9