Home
Corporate
About TUGAY Certificates Partners Careers
Services
Penetration Testing Source Code Analysis Training References Contact Startup Application
Get a Quote
Ana Sayfa /Knowledge Base /ISO 13485 and IEC 62304
Medical Device

Secure Software and Cybersecurity under ISO 13485 and IEC 62304

Systematic integration of security controls throughout the medical device software development lifecycle.

Where the Standards Meet Cybersecurity

ISO 13485 is the international standard that defines quality management system (QMS) requirements for medical device manufacturers. IEC 62304 is the technical standard that governs the medical device software development lifecycle and prescribes different safety requirements according to software classification (A, B, C).

Although neither standard originally addressed cybersecurity explicitly, subsequent updates and regulatory pressure have remedied this gap; MDCG guidelines, the IEC 81001-5-1 standard, and FDA guidance have made medical software security an integral part of the development process.

IEC 81001-5-1

Published in 2021, IEC 81001-5-1 provides a comprehensive framework integrating security activities for health software into the IEC 62304 lifecycle. This standard is now effectively accepted as a reference for MDR compliance.

Software Classification and Security Requirements

IEC 62304 divides medical software into three classes based on the potential level of harm. Security testing requirements also vary according to this classification:

  • Class A: Software that does not directly affect patient safety — basic security review
  • Class B: Software that could cause harm — comprehensive source code analysis and security testing
  • Class C: Software that could cause death or serious injury — full-scope penetration testing and formal verification

Integration into the Secure Software Development Lifecycle

TUGAY treats security testing not as an activity performed solely at the final stage, but as a continuous process distributed across every phase of the software development lifecycle (SDLC).

  1. Requirements Phase: Security requirements are identified and a threat model is created (STRIDE methodology).
  2. Design Phase: Secure architecture review and data flow analysis are performed.
  3. Development Phase: Static code analysis (SAST) is integrated into the CI/CD pipeline; secure coding reviews are conducted.
  4. Testing Phase: Dynamic application testing (DAST), fuzzing, and penetration testing are applied.
  5. Release and Maintenance: A vulnerability management process (SBOM, CVE monitoring) is established; periodic tests are planned.

Technical File and Audit Support

Test reports produced by TUGAY are prepared in a format that can be used directly in the ISO 13485 QMS record and the MDR Technical Documentation. The cybersecurity evidence required for Notified Body audits is presented systematically.

  • Test plan customized according to the IEC 62304 software class
  • Threat model and risk analysis report (IEC 81001-5-1 compliant)
  • SAST/DAST finding reports and remediation verification
  • Software Bill of Materials (SBOM) creation support
Startup Program

Secure your product
before it hits the market.

Security isn't just for large enterprises. Every startup needs a solid foundation from day one. Let us find the vulnerabilities before attackers do. For free.

Apply for Startup Program

Application is free. No commitment required.

Assessment scope

  • Initial security assessment by an expert
  • Critical vulnerability and weakness identification
  • Prioritized findings summary report
  • GDPR preliminary compliance assessment
  • Expert feedback within 48 hours
Completely free & non-binding
Free Assessment Request Pentest Startup Application