IEC TS 81001-2-2-2025 PDF

Full title and description

St IEC TS 81001-2-2-2025 — Health software and health IT systems safety, effectiveness and security — Part 2-2: Guidance for the implementation, disclosure and communication of security needs, risks and controls. This Technical Specification provides an informative set of high-level security-related capabilities and considerations to support information exchange about security needs, risks and controls between health software manufacturers (including medical device manufacturers), healthcare delivery organizations and other stakeholders, for health software deployed on any platform or environment (cloud, on-premise or hybrid).

Abstract

This document outlines common security capabilities and additional considerations to be applied across the lifecycle of health software and health IT systems to enable consistent implementation, disclosure and communication of security needs, risks and controls. It extends prior IEC guidance that focused on medical device networks to address health software more broadly, aligns terminology with ISO 81001-1:2021 and updated IEC 80001-1, and provides mappings to current security control standards. It explicitly withdraws and replaces IEC TR 80001-2-2:2012 and IEC TR 80001-2-8:2016.

General information

• Status: Published (Technical Specification).
• Publication date: 1 October 2025 (Edition 1.0).
• Publisher: IEC (International Electrotechnical Commission); developed by TC 62/SC 62A in cooperation with ISO/TC 215.
• ICS / categories: Health informatics / IT applications in health care technology and IT security (e.g., 35.030; 35.240.80; listings also show 11.040.01).
• Edition / version: Edition 1.0 (IEC/TS 81001-2-2:2025).
• Number of pages: 103 pages per IEC webstore listing (some catalogs list 96 pages — see publisher listing differences).

Scope

The scope covers guidance for implementing, disclosing and communicating security needs, risks and controls for health software and health IT systems across their life cycle. It applies to health software on any platform and in any deployment model (cloud, on-premise, hybrid). It does not cover an HDO's internal security policies, a manufacturer's internal product/service security policies, determinations of risk tolerance by HDOs or manufacturers, nor specific clinical-study data-security measures; however, many of the considerations can be applied to other products that operate on health IT infrastructure. The specification replaces and consolidates previous IEC TR guidance focused on medical device network risk management.

Key topics and requirements

• High-level security-related capabilities for health software across the lifecycle (design, deployment, maintenance, decommissioning).
• Guidance for clear disclosure and communication of security needs, risks and available controls between manufacturers, healthcare delivery organizations and other stakeholders.
• Mappings of recommended security controls to relevant standards and frameworks (examples include IEC TR 60601-4-5, IEC 62443-4-2, ISO/IEC 27002, ISO/IEEE 11073 profiles and NIST SP 800-53 Rev. 5).
• Integration and alignment with ISO 81001-1:2021 and the updated IEC 80001-1 terminology and structure.
• Removal of the previous “Configuration of Security Features (CNFS)” capability as a separate capability — requiring instead explicit communication when security features are configurable.
• Practical recommendations to support procurement, integration, incident response coordination and shared risk management across HDOs and vendors.

Typical use and users

Primary users include health software and medical device manufacturers, healthcare delivery organizations (IT, cybersecurity and clinical engineering teams), health IT integrators and service providers, procurement teams, regulators and conformity assessment bodies. Typical uses are to support vendor–provider security communications, to inform procurement and integration contracts, to guide secure product lifecycle practices, and to provide reference mappings when aligning product security capabilities to corporate and regulatory requirements.

Related standards

Relevant and related documents include ISO 81001-1:2021 (health software safety management), the updated IEC 80001-1 series, the withdrawn IEC TR 80001-2-2:2012 and IEC TR 80001-2-8:2016 (replaced by this TS), IEC TR/60601-4-5, IEC 62443 series, ISO/IEC 27000-series, ISO/IEEE 11073 family and NIST security frameworks (e.g., SP 800-53 Rev. 5). This TS provides explicit mappings and alignment guidance to many of these documents.

Keywords

health software; health IT; cybersecurity; security communication; risk communication; security controls; risk management; vendor–provider coordination; IEC 81001; ISO 81001; medical device security.

FAQ

Q: What is this standard?

A: IEC/TS 81001-2-2:2025 is a Technical Specification giving guidance for implementing, disclosing and communicating security needs, risks and controls for health software and health IT systems across their lifecycle. It consolidates and updates prior IEC technical reports on medical device network security and extends the scope to health software more broadly.

Q: What does it cover?

A: It covers high-level security capabilities and considerations to support consistent communication and coordination between manufacturers, healthcare delivery organizations and other stakeholders, and provides mappings to relevant security standards and control frameworks. It does not replace an organization's own security policies or determine risk tolerance decisions.

Q: Who typically uses it?

A: Manufacturers of health software and medical devices, HDO IT/security/clinical engineering teams, integrators, procurement and regulatory stakeholders use it to support secure procurement, integration, shared risk management and vendor–provider communication.

Q: Is it current or superseded?

A: As published on 1 October 2025 (Edition 1.0) the TS is current and formally withdraws and replaces IEC TR 80001-2-2:2012 and IEC TR 80001-2-8:2016. Users should consult the TS as the authoritative guidance after its publication date.

Q: Is it part of a series?

A: Yes — it is Part 2-2 of the IEC 81001 family addressing health software and health IT systems safety, effectiveness and security; it is intended to align with and complement ISO 81001-1 and other parts of the IEC/ISO health software standardization work.

Q: What are the key keywords?

A: Key keywords include: health software, health IT, cybersecurity, security needs, risk communication, security controls, vendor–provider coordination, risk management.