20 Oct 2022
CYBERSECURITY LABELLING SCHEME FOR MEDICAL DEVICES
The Cyber Security Agency of Singapore (CSA) has collaborated with the Ministry of Health (MOH), Health Sciences Authority (HSA) and Integrated Health Information Systems (IHiS) on the Cybersecurity Labelling Scheme for Medical Devices [CLS (MD)].
2. Medical devices are now increasingly connected to the hospital and home networks, in the intranet and internet. While these connected medical devices benefit patients and healthcare providers, particularly in real-time monitoring of health status, rising connectivity could also increase cybersecurity risks and compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes.
3. Under the CLS (MD), medical devices are rated according to their levels of cybersecurity provisions. This will incentivise manufacturers to adopt a security-by-design approach to develop more secure products for the medical device industry. This will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cybersecurity provisions.
4. The CLS (MD) was developed in consultation with the Asia Pacific Medical Technology Association (APACMed) and Singapore Manufacturing Federation – Medical Technology Industry Group (SMF - MTIG), with representatives from both MNCs and SMEs. The CLS (MD) will apply to medical devices [defined as in the First Schedule of the Singapore Health Product Act (Cap122D, 208 Rev Ed)1 that handle health data or are able to connect to other devices, systems and services.
Details of the Scheme
5. The CLS (MD) comprises four levels of rating, represented by one, two, three, or four crosses (see Appendix for Label). Each additional cross represents an additional level of testing and assessment that the product has undergone. The general requirements for each level are as follows:
| Level 1
||Baseline regulatory requirements, aligned to the current registration requirements for medical devices by HSA.
| Level 2
||The product meets enhanced cybersecurity requirements such as device and data requirements, and may be required to pass independent 3rd party tests. More details will be released at a later date for each level.
| Level 3
| Level 4
6. For a start, all HSA-registered medical devices in Singapore are deemed compliant to CLS (MD) Level 1, as the registration requirements by HSA have already incorporated the baseline cybersecurity requirements defined in Level 1.
7 For the higher levels of the scheme, a formal consultation with the medical device industry and associations will be held in the coming month to seek feedback on their proposed requirements, including the timeline for implementation. More details on the industry consultation and CLS (MD) registration will be announced in due course.
8 For further information or clarifications on the CLS (MD), please write to firstname.lastname@example.org.
About the Cyber Security Agency of Singapore
Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions, and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes.
CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg.
About the Health Sciences Authority (HSA)
The Health Sciences Authority (HSA) applies medical, pharmaceutical and scientific expertise through its three professional groups, Health Products Regulation, Blood Services and Applied Sciences, to protect and advance national health and safety. HSA is a multidisciplinary authority. It serves as the national regulator for health products, ensuring they are wisely regulated to meet standards of safety, quality and efficacy. As the national blood service, it is responsible for providing a safe and adequate blood supply. It also applies specialised scientific, forensic, investigative and analytical capabilities in serving the administration of justice. For more details, visit http://www.hsa.gov.sg/.
For more updates on public health and safety matters, follow us on Twitter at www.twitter.com/HSAsg.
About HSA’s Health Products Regulation Group
The Health Products Regulation Group (HPRG) of HSA ensures that medicines, innovative therapeutics, medical devices and health-related products are wisely regulated and meet appropriate safety, quality and efficacy standards. It contributes to the development of biomedical sciences in Singapore by administering a robust, scientific and responsive regulatory framework.
About Integrated Health Information Systems (IHiS)
IHiS is a leading healthcare technology firm that integrates resilient, intelligent, secure and cost effective technology with people and processes to make healthcare more efficient, more inclusive, more accessible, and safer for patients.
IHiS supports more than 70,000 healthcare users in Singapore’s public healthcare sector to bring about healthcare transformation through the use of technology. We harness multiple healthtech domains – Health AI, telemedicine, electronic health records, digital health apps, and more, to push the boundaries for transformative health to improve population health, make healthcare more sustainable, and enhance the patient experience.
For more information, visit us at www.ihis.com.sg, connect with us on Facebook and follow us on LinkedIn to learn more about the latest healthcare IT news.