A new development in healthcare cybersecurity is the publication of IEC TS 81001-2-2:2025, which provides updated guidance on the implementation, disclosure, and communication of security needs, risks, and controls for health software and health IT systems.
This technical specification supersedes and consolidates IEC TR 80001-2-2:2012 and IEC TR 80001-2-8:2016, extending the scope beyond medical device software to include all health software.
IEC TS 81001-2-2:2025 outlines categories of security capabilities, including:
- Technical
- Administrative
- and organizational controls
This is for managing confidentiality, integrity, availability, and other key aspects of data and system security throughout the product life cycle. It aligns terminology and structure with ISO 81001-1:2021 and the updated IEC 80001-1:2021 standards, supporting consistent exchange of information between manufacturers, healthcare delivery organizations, and stakeholders.
This new edition combines and updates the earlier IEC TR 80001-2-2 and IEC TR 80001-2-8, expands the scope from medical device IT-networks to all health software and health IT systems, restructures and enlarges the security capabilities, and adds new control mappings, definitions, and supporting annexes.
The new specification presents an informative set of capabilities and considerations rather than prescriptive requirements, enabling both manufacturers and healthcare organizations to define and communicate security controls relevant to their systems. This release is designed to facilitate more robust, transparent cybersecurity coordination in response to evolving threats and regulatory expectations.
