Public Consultation for the Proposed Framework and Implementation of the Cybersecurity Labelling Scheme for Medical Devices, CLS(MD)
Medical devices are now increasingly connected to hospital and home networks to provide better care for our patients. However, this connectivity also increases the surface area for malicious actors to attack, which could potentially compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes.
2. It was announced at the Singapore International Cyber Week 2022 that the Ministry of Health (MOH), Cyber Security Agency of Singapore (CSA), Health Sciences Authority (HSA), and the Integrated Health Information Systems (IHiS) have collaborated to develop and roll out the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)]. This is in line with CSA’s CLS for smart consumer devices, which has similarly been launched to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace.
3. The CLS(MD) was also developed in consultation with industry representatives from both the cybersecurity and medical technology communities.
4. The scope of the CLS(MD) applies to medical devices as described in the First Schedule of the Health Product Act (Cap122D, 2008 Rev Ed) and have any of the following characteristics:
i. Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data;
ii. Connects to other devices, systems, and services - Has the ability to communicate using wired and / or wireless communication protocols through a network of connections.
Key Items Under Review
5. The framework for CLS(MD) comprises four (4) cybersecurity levels of 38 clauses. HSA's current cybersecurity requirements fulfil that of Level 1 when registering any medical devices in Singapore. The rest of the clauses will be placed in Level 2. Independent third-party testing is required for Levels 3 and 4.
6. The testing laboratories to conduct the independent third-party testing are to be accredited to ISO 17025 and meet other requirements documented in the consultation paper.
7. The CLS(MD) labels must be printed or affixed on the packaging of devices that are sold to non-qualified medical or dental practitioners. For professional-use only devices, the printing or affixing of the label shall be optional.
8. The validity of the CLS(MD) label shall be three (3) years, during which the developer is required to support the device with security updates. The label may be revoked during the period if certain conditions are not met. Before the expiry of the label, a new CLS(MD) application is required to obtain a new label. This process can be initiated three (3) months before the expiry date of the existing label.
9. Devices currently in use may also apply to have the label. The process depends on the CLS(MD) level that is being applied to. More details of this are provided in the consultation paper.
Your Feedback is Important
10. MOH, CSA, HSA, and IHiS welcome your comments and feedback on the framework, operationalisation, awarding of labels, validity of labels, current devices in use and the application process of CLS(MD) scheme. The consultation window will be from 25 January 2023 to 3 March 2023.
11. Please note that the contents of any written feedback submitted, and the identity of the source, may be disclosed at the conclusion of this consultation. You may request for the feedback provided to be treated with confidence on grounds that the information is proprietary, confidential or commercially-sensitive. Such requests will be taken into consideration.
12. Please email your feedback using the prescribed template to firstname.lastname@example.org by 3 March 2023, 1700 hrs. If you have any clarifications or queries, please also email email@example.com.