Press Releases
Cybersecurity Labelling Scheme for Medical Devices Sandbox
17 October 2023
CSA, MOH, HSA, and Synapxe launched the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)] sandbox on 20 Oct 2023. This 9-month initiative invites manufacturers to test a four-level rating system, from baseline security to third-party evaluation. It aims to protect the 16,000+ connected medical devices in Singapore from cyber threats via a security-by-design approach.
1 The Cyber Security Agency of Singapore (CSA) has collaborated with the Ministry of Health (MOH), Health Sciences Authority (HSA) and Synapxe to launch the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)] sandbox.
2 About 15%, or more than 16,000 of the medical devices in Singapore’s Public Healthcare Institutions, are MDs with internet connectivity. Given that medical devices are increasingly connected to the hospital and home networks, rising connectivity could increase cybersecurity risks. For example, vulnerabilities in software used for clinical diagnostics could be exploited to cause misdiagnosis, and unsecured medical devices could be targeted in denial-of-service attacks, thus denying patients the appropriate treatment. Unsecured devices could also be used as conduits for cybercriminals to infiltrate into a hospital’s network, potentially exfiltrating data or even shutting down the network.
3 Under the CLS(MD), medical devices are rated according to their levels of cybersecurity provisions. The aim of the scheme is to incentivise manufacturers to adopt a security-by-design approach and enable consumers and healthcare providers to make more informed decisions about the use of such devices.
4 An industry consultation on the proposed framework and implementation of the CLS(MD) was held earlier this year. Over 220 responses were received from written comments, email enquiries and face-to-face consultations. The industry agreed that the CLS(MD) would raise the overall level of cybersecurity for medical devices. Majority of the feedback requested for further clarifications on the proposed requirements and implementation details. A summary of the industry consultation, published in Aug 2023, can be found here.
5 Following the industry consultation, CSA will launch the sandbox on 20th October 2023 and medical device manufacturers are invited to participate in the sandbox to have a firstmover advantage in enhancing the security of their products. Applications will be open for all four levels of rating under the CLS(MD) scheme. The sandbox allows all parties involved to test out and give feedback on the requirements and application processes for the CLS(MD) ahead of the scheme’s launch. Manufacturers will get to put their medical devices through the different assessments, such as the declaration of conformity, software binary analysis, penetration testing and security evaluation. The sandbox will run for nine months and the feedback and learning from the sandbox will be used to refine the requirements and operational workflow of the scheme where necessary.
6 The CLS(MD) comprises four levels of rating. Each additional level represents an additional level of testing and assessment that the product has undergone. The general requirements for each level, which were presented at the industry consultation and refined after, are below. They will be implemented in the sandbox.
Table caption
Level | Requirement |
|---|---|
Level 1 | The product meets baseline cybersecurity requirements. |
Level 2 | The product meets enhanced cybersecurity requirements. |
Level 3 | The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and penetration testing. |
Level 4 | The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and security evaluation. |
7 For further information or clarifications on the CLS(MD) sandbox, please visit CLS(MD) Sandbox or write to cls_md@csa.gov.sg.
Backgrounder on the Cybersecurity Labelling Scheme for Medical Devices
Medical devices are increasingly connected to the hospital and home networks, in the Intranet and Internet. While these connected medical devices benefit patients and healthcare providers, such as remote real-time monitoring of health status, rising connectivity could also increase cybersecurity risks. This can compromise patients’ personal information, clinical data, or treatment protocols, ultimately affecting their health outcomes.
Under the CLS(MD), medical devices are rated according to their levels of cybersecurity provisions. This will incentivise manufacturers to adopt a security-by-design approach to develop more secure products. The scheme will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cybersecurity provisions. The CLS(MD) will also be aligned with the purchasing requirements of the public healthcare institutions in the future.
The CLS(MD) was developed in consultation with the Asia Pacific Medical Technology Association (APACMed) and Singapore Manufacturing Federation – Medical Technology Industry Group (SMF - MTIG), with representatives from the MNCs and SMEs.
Medical devices [defined as in the First Schedule of the Singapore Health Product Act (Cap122D, 208 Rev Ed)] that handles personal identifiable information (PII) and clinical data, or are able to connect to other devices, systems and services, may apply for the CLS(MD).
About the Cyber Security Agency of Singapore
Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes.
CSA is part of the Prime Minister’s Office and is managed by the Ministry of Digital Development and Information. For more news and information, please visit www.csa.gov.sg.
About the Health Sciences Authority (HSA)
The Health Sciences Authority (HSA) applies medical, pharmaceutical and scientific expertise through its three professional groups, Health Products Regulation, Blood Services and Applied Sciences, to protect and advance national health and safety. HSA is a multidisciplinary authority. It serves as the national regulator for health products, ensuring they are wisely regulated to meet standards of safety, quality and efficacy. As the national blood service, it is responsible for providing a safe and adequate blood supply. It also applies specialised scientific, forensic, investigative and analytical capabilities in serving the administration of justice. For more details, visit www.hsa.gov.sg.
About HSA’s Health Products Regulation Group
The Health Products Regulation Group (HPRG) of HSA ensures that medicines, innovative therapeutics, medical devices and health-related products are wisely regulated and meet appropriate safety, quality and efficacy standards. It contributes to the development of biomedical sciences in Singapore by administering a robust, scientific and responsive regulatory framework.
About Synapxe
Synapxe is the national HealthTech agency inspiring tomorrow’s health. The nexus of HealthTech, we connect people and systems to power a healthier Singapore. Together with partners, we create intelligent technological solutions to improve the health of millions of people every day, everywhere. Reimagine the future of health together with us at www.synapxe.sg.