How NXP Is Raising the Bar for Cybersecurity in Connected Medical Devices

The modern healthcare industry has fully embraced a digital revolution. Today’s hospitals and clinical environments now fully rely on connected medical devices for diagnostics, monitoring and treatment. But this expanded connectivity also increases risk among the attack surface. Every new device introduced into a hospital network represents a potential entry point for malicious actors. The result? Cybersecurity has become completely inseparable from patient safety and regulatory compliance.

Regulators around the world are now responding to a new cybersecurity reality. From the FDA in the U.S. to the medical device regulation/in vitro device regulation (MDR/IVDR) in the EU, cybersecurity has become a baseline for product approval. Medical device manufacturers face increasing pressure to demonstrate secure development practices and ensure that technical implementations remain adequate throughout the product life cycle.

In response to these challenges, NXP is proud to announce that our secure development process has recently been certified by the International Electrotechnical Commission's (IEC), the leading international standard for cybersecurity in health software and IT systems.

IEC 81001-5-1 Provides Secure Coding Best Practices

IEC 81001-5-1 emerged in response to a longstanding gap in the medical sector. While technical safeguards like encryption or secure boot were well-understood, the industry lacked a formal standard to guide secure processes during software development. Borrowing the foundational structure from the industrial-focused IEC 62443-4-1, the new standard offers a lifecycle-oriented framework meant specifically for connected medical devices and health software.

Fundamentally, IEC 81001-5-1 codifies a risk-based approach to secure product development. It defines processes across the software life cycle, including planning, development, maintenance and vulnerability response. As such, it emphasizes secure coding best practices and mandates clear traceability between threat models, risk assessments and implemented mitigations.

Modern medical devices increasingly depend on complex, multivendor hardware and software stacks. Recognizing this, IEC 81001-5-1 introduces a systems-level approach to medical device cybersecurity. The standard acknowledges that a device’s security is not solely determined by its own design, but also by the security posture of its prebuilt components and third-party libraries—essentially, its supply chain.

Rather than evaluating each component in isolation, the standard emphasizes an integrated assessment of how components interact. It promotes a holistic view of risk management, focusing on both individual and collective vulnerabilities, how these may propagate across the system and the importance of continuous monitoring throughout the device life cycle.

Importantly, IEC 81001-5-1 encourages transparency and traceability. It requires manufacturers to maintain detailed documentation of external components and their known vulnerabilities, as well as to implement configuration management systems that track changes over time. These requirements improve security and facilitate regulatory review by creating clear, auditable evidence of conformance.

In December 2022, the FDA formally recognized IEC 81001-5-1 as a consensus standard, clearing the path for its use in 510(k) and other submissions. It is also referenced in guidance for compliance with the General Safety and Performance Requirements (GSPR) of the EU’s MDR and IVDR.

How NXP Achieved IEC 81001-5-1 Process Certification

Achieving certification of compliance to IEC 81001-5-1 required NXP to integrate medical-grade cybersecurity controls into its product development processes.

The certification of compliance was conducted by DEKRA, which verified that NXP's development workflows align with the standard’s expectations around secure software life cycle management and that all these activities were conducted according to the DEKRA’s own certification scheme. These workflows include formal processes for threat modeling, vulnerability tracking, secure configuration management and resolution of security issues—all of which were already supported under NXP’s infrastructure for other regulated domains such as automotive (ISO/SAE 21434) and industrial (IEC 62443-4-1).

By adapting these existing frameworks to the specific procedural and documentation requirements of IEC 81001-5-1, NXP established a certifiable process that aligns with both FDA-recognized expectations and EU regulatory guidance.

The Impact of IEC 81001-5-1 on Medical Device Manufacturers

By achieving IEC 81001-5-1 process certification, NXP now offers medical device manufacturers an unequivocal layer of trust via prevetted building blocks for secure medical products. We’ve reduced the compliance burden on customers by offering third-party verified assurance that components originate from a secure, mature development environment.

For design teams, early-stage decision-making is simpler. Rather than constructing secure development frameworks from scratch or retrofitting non-compliant components into regulated environments, OEMs can integrate NXP components with confidence that the underlying development artifacts are aligned with IEC 81001-5-1 principles.

For system architects, the certification provides a reliable way to document supplier due diligence, especially in areas like vulnerability analysis, secure update mechanisms and incident notification workflows. All of these fall under the manufacturer’s responsibility in the eyes of regulators, and NXP’s certification helps offload part of that burden with defensible evidence of good practices.

Future-Proofing Designs

The medical sector is evolving quickly. New technologies like AI-powered diagnostics and remote patient monitoring increase the complexity of system integration and, by extension, the complexity of cybersecurity risk. Certification to IEC 81001-5-1 helps medical OEMs scale with confidence, knowing that infrastructure components meet an accepted global standard for secure development.

While IEC 81001-5-1 does not mandate certification for individual components, industry momentum is moving in that direction—as is already the case under the upcoming Cyber Resilience Act (CRA). As the regulatory landscape matures, components that meet or exceed these expectations will become the norm, not the exception.

Fortunately, this certification is now fully integrated into NXP’s medical product development workflows. And as the regulatory landscape continues to evolve, we’re committed to expanding our secure development practices to meet the emerging requirements across the medical device value chain, including IEC 60601-4-5, an optimized version of the IEC 62443-4-2 for the medical market.

Authors

Carlos Serratos

IoT Certification Expert, NXP Semiconductors

Carlos is a specialist in IoT security and regulatory compliance. In his role as IoT Certification Expert at NXP, he engages with policymakers, regulators and industry across verticals and regions, addressing trust enablement issues for compliance, risk management, and accountability purposes. He's a subject expert in security regulatory compliance, the development of schemes and standards and their applicability in IoT markets. He is currently participating in the Connectivity Standards Alliance Product Security Working Group, co-chairing the Product Security Certification and Regulatory activities.

Daniel Kiraly

Security Manager, NXP Semiconductors

Daniel is a Security Manager for Site & Process Security Certification at NXP. He is responsible for compliance to multiple site and process certifications, including IEC 81001-5-1, IEC 62443-4-1, ISO 21434, CRA, TISAX, ISO 27001. Coming from a Common Criteria evaluator and auditor background, he ensures that development process and management system cybersecurity compliance support customer needs. Known for his collaborative approach, he bridges technical rigor with cross-functional alignment.