IEC 81001-5-1¶
The iec-81001-5-1 pack enforces rules based on IEC 81001-5-1 -- Health software and health IT systems safety: Security activities in the product life cycle. It covers cybersecurity requirements for health software including authentication, encryption, input validation, secure communication, access control, and audit logging.
Organization tier required
This pack requires an Organization or Enterprise license key. See sentrik.dev for details.
Enable¶
Rules¶
The pack includes 20 rules across code enforcement and documentation obligations:
Code rules (18)¶
| ID | Clause | Severity | Description |
|---|---|---|---|
| IEC81001-001 | 5.3.2 | critical | Hardcoded credentials violate secure authentication requirements |
| IEC81001-002 | 5.3.2 | critical | Default or common passwords in source code violate secure authentication |
| IEC81001-003 | 5.3.3 | high | MD5 and SHA-1 are cryptographically broken and must not be used in health software |
| IEC81001-004 | 5.3.3 | high | DES and 3DES are deprecated and must not be used for encryption |
| IEC81001-005 | 5.3.4 | critical | SQL queries built with string formatting are vulnerable to injection |
| IEC81001-006 | 5.3.4 | high | Shell command execution with user input enables command injection |
| IEC81001-007 | 5.3.4 | high | Unsanitized file path construction enables path traversal attacks |
| IEC81001-008 | 5.3.5 | high | HTTP transmits data in cleartext, violating secure communication requirements |
| IEC81001-009 | 5.3.5 | critical | Disabling TLS certificate verification exposes health software to MITM attacks |
| IEC81001-010 | 5.3.5 | high | TLS 1.0 and 1.1 are deprecated and must not be used in health software |
| IEC81001-011 | 5.3.6 | high | World-readable or world-writable file permissions violate access control requirements |
| IEC81001-012 | 5.3.6 | high | Wildcard CORS origin allows any site to access health software APIs |
| IEC81001-013 | 5.3.7 | high | Logging passwords, tokens, or PHI violates data protection and audit requirements |
| IEC81001-014 | 5.3.8 | medium | Exposing stack traces or internal details in responses aids attacker reconnaissance |
| IEC81001-015 | 5.3.8 | high | Debug mode in production exposes internal state and bypasses security controls |
| IEC81001-016 | 5.3.9 | high | Installing packages without integrity verification enables supply chain attacks |
| IEC81001-017 | 5.3.10 | critical | Unsafe deserialization of untrusted data can lead to remote code execution |
| IEC81001-018 | 5.3.11 | high | Use of known-vulnerable C/C++ functions creates exploitable vulnerabilities |
Documentation obligations (2)¶
| ID | Clause | Description |
|---|---|---|
| IEC81001-DOC-001 | 5.2 | Cybersecurity risk management process for health software |
| IEC81001-DOC-002 | 5.7 | Security testing activities planned and documented |
Use case¶
Medical device manufacturers and health IT system developers building software subject to IEC 81001-5-1 cybersecurity requirements. The pack provides:
- Health software security -- Enforces authentication, encryption, input validation, access control, and audit logging requirements across the product lifecycle
- Multi-language coverage -- Detects vulnerabilities in Python, JavaScript, Java, C#, C/C++, Go, and Rust
- Regulatory traceability -- Rules map directly to IEC 81001-5-1 clauses for cybersecurity risk management evidence
Combining with other packs¶
IEC 81001-5-1 works well alongside fda-iec-62304 for complete medical device coverage: