Adjacent Standards Shaping Healthcare Technology: Cybersecurity, Data Governance and Interoperability

Adjacent Standards Shaping Healthcare Technology: Cybersecurity, Data Governance and Interoperability

Healthcare technology is increasingly digital, connected and data-driven. Medical device and IVD manufacturers are therefore influenced not only by sector-specific standards, but also by a wider set of “adjacent” standards that address cybersecurity, information management, data governance, sustainability and interoperability. These standards are not written specifically for healthcare, but they play an important role in how healthcare technologies are designed, deployed and maintained.

Cybersecurity and information security management

As healthcare technologies become connected to networks and cloud environments, cybersecurity has become a central consideration for compliance and patient safety. One widely used framework is BS ISO/IEC 27001 (Information security management systems). This standard focuses on establishing and maintaining an information security management system, covering areas such as risk assessment, access control, incident management and supplier security.

For healthcare technology developers, this type of framework often sits alongside sector-specific risk management and software lifecycle standards. While medical device and IVD standards focus on primarily on risk management from a patient safety perspective information security standards address risks to confidentiality, integrity and availability of data and systems. In practice, organisations often align these approaches so that cybersecurity risks are considered as part of the overall management of product and organisational risks.

Artificial intelligence and data governance

The use of artificial intelligence in healthcare software has brought additional attention to data governance and lifecycle management. BS ISO/IEC 42001 (AI Management System) provides a structured approach to managing AI systems, including governance, accountability, risk and performance monitoring. From an AI governance perspective, there are common concerns such as data quality, bias and life cycle monitoring that must be taken into consideration.

Although it is not healthcare-specific, this standard is relevant where AI is used in clinical decision support, imaging analysis or workflow optimisation. It typically complements medical device and IVD software and clinical evaluation standards by focusing on organisational controls around AI development, deployment and monitoring, rather than clinical performance alone. There is a BSI White Paper available that focusses on “Artificial Intelligence and Machine Learning (AIML) in medical devices” which examines the issues more closely. (1)

Cloud security and outsourced services

Many healthcare technologies rely on cloud infrastructure for data storage, analytics and remote access. Cloud security standards, such as BS ISO/IEC 27017 (Information Security for Cloud Services) and BS ISO/IEC 27018 (Protection of personally identifiable information in public clouds), are commonly used to manage risks associated with cloud service providers.

These standards support healthcare organisations in understanding shared responsibility models, data protection controls and supplier oversight. They often interact with medical regulatory expectations around data protection, traceability and post-market activities, without replacing those requirements.

Interoperability and data exchange

Interoperability is essential for modern healthcare systems, enabling devices, software and health IT platforms to exchange data reliably. Standards developed by Health Level Seven, particularly HL7 FHIR (Fast Healthcare Interoperability Resources), provide a structured approach to healthcare data exchange. Health Level Seven is a standards organisation based in the UK that develops technical standards for health data exchange.

FHIR is widely used in electronic health records and digital health applications and increasingly influences how medical device and IVD software interfaces are designed. While it does not define clinical safety or performance requirements, it supports consistency and scalability when integrating medical technologies into wider healthcare ecosystems.

Broader management and organisational standards

In addition to digital-focused standards, more generic management system standards ISO 13485:2016 is the internationally recognised standard for organisations involved in the life cycle of medical devices also shape healthcare technology development.

Standards for quality management, risk management and business continuity are often applied across organisations, including those developing medical technologies. These frameworks influence governance structures, documentation practices, supplier management and continuous improvement activities, all of which affect patient safety, regulatory readiness and operational resilience.

Although not specific to healthcare or digital technology, such standards provide a common language and structure for managing complex organisations operating in regulated environments.

How these standards interact

These adjacent standards do not replace medical device or IVD standards and regulations. Instead, they provide complementary frameworks that address organisational capability, information security, data handling and system integration. Many organisations map these standards together to create a coherent compliance approach that reflects both clinical and digital risks.

For healthcare technology developers, understanding how non-medical device standards interact with sector-specific requirements can support more robust design decisions, smoother regulatory engagement and better alignment with patient and customer expectations. As healthcare continues to digitalise, this broader standards landscape is likely to become increasingly relevant to ensuring delivery of safe and effective innovations to patients