Cybersecurity Labelling Scheme for Medical Devices

Published on 20 Oct 2022


  The Cyber Security Agency of Singapore (CSA) has collaborated with the Ministry of Health (MOH), Health Sciences Authority (HSA) and Integrated Health Information Systems (IHiS) on the Cybersecurity Labelling Scheme for Medical Devices [CLS (MD)].

2. Medical devices are now increasingly connected to the hospital and home networks, in the intranet and internet. While these connected medical devices benefit patients and healthcare providers, particularly in real-time monitoring of health status, rising connectivity could also increase cybersecurity risks and compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes.

3. Under the CLS (MD), medical devices are rated according to their levels of cybersecurity provisions. This will incentivise manufacturers to adopt a security-by-design approach to develop more secure products for the medical device industry. This will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cybersecurity provisions.

4. The CLS (MD) was developed in consultation with the Asia Pacific Medical Technology Association (APACMed) and Singapore Manufacturing Federation – Medical Technology Industry Group (SMF - MTIG), with representatives from both MNCs and SMEs.  The CLS (MD) will apply to medical devices [defined as in the First Schedule of the Singapore Health Product Act (Cap122D, 208 Rev Ed)1 that handle health data or are able to connect to other devices, systems and services.


Details of the Scheme

5. The CLS (MD) comprises four levels of rating, represented by one, two, three, or four crosses (see Appendix for Label). Each additional cross represents an additional level of testing and assessment that the product has undergone. The general requirements for each level are as follows:

 Level 1Baseline regulatory requirements, aligned to the current registration requirements for medical devices by HSA.
 Level 2The product meets enhanced cybersecurity requirements such as device and data requirements, and may be required to pass independent 3rd party tests. More details will be released at a later date for each level.
 Level 3
 Level 4

6. For a start, all HSA-registered medical devices in Singapore are deemed compliant to CLS (MD) Level 1, as the registration requirements by HSA have already incorporated the baseline cybersecurity requirements defined in Level 1.

7 For the higher levels of the scheme, a formal consultation with the medical device industry and associations will be held in the coming month to seek feedback on their proposed requirements, including the timeline for implementation. More details on the industry consultation and CLS (MD) registration will be announced in due course.

8 For further information or clarifications on the CLS (MD), please write to



About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions, and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes.

CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit


About the Health Sciences Authority (HSA)

The Health Sciences Authority (HSA) applies medical, pharmaceutical and scientific expertise through its three professional groups, Health Products Regulation, Blood Services and Applied Sciences, to protect and advance national health and safety. HSA is a multidisciplinary authority. It serves as the national regulator for health products, ensuring they are wisely regulated to meet standards of safety, quality and efficacy. As the national blood service, it is responsible for providing a safe and adequate blood supply. It also applies specialised scientific, forensic, investigative and analytical capabilities in serving the administration of justice. For more details, visit

For more updates on public health and safety matters, follow us on Twitter at


About HSA’s Health Products Regulation Group

The Health Products Regulation Group (HPRG) of HSA ensures that medicines, innovative therapeutics, medical devices and health-related products are wisely regulated and meet appropriate safety, quality and efficacy standards. It contributes to the development of biomedical sciences in Singapore by administering a robust, scientific and responsive regulatory framework.


About Integrated Health Information Systems (IHiS)

IHiS is a leading healthcare technology firm that integrates resilient, intelligent, secure and cost effective technology with people and processes to make healthcare more efficient, more inclusive, more accessible, and safer for patients.

IHiS supports more than 70,000 healthcare users in Singapore’s public healthcare sector to bring about healthcare transformation through the use of technology. We harness multiple healthtech domains – Health AI, telemedicine, electronic health records, digital health apps, and more, to push the boundaries for transformative health to improve population health, make healthcare more sustainable, and enhance the patient experience.

For more information, visit us at, connect with us on Facebook and follow us on LinkedIn to learn more about the latest healthcare IT news.



Report a Cybersecurity Incident

SingCERT encourages the reporting of cybersecurity incidents as it enables us to better understand the scope and nature of cyber incidents in Singapore. This will enable us to issue alerts or advisories on relevant threats, and assist a broader range of individuals and organisations.
Report Incident