Cybersecurity Labelling Scheme for Medical Devices - CLS(MD)
Launched on 16 October 2024 by Dr. Janil Puthucheary, Senior Minister of State for Digital Development and Information & Health, the Cybersecurity Labelling Scheme for Medical Devices (CLS[MD]) is a voluntary initiative jointly developed by the Cyber Security Agency (CSA), the Ministry of Health (MOH), the Health Sciences Authority (HSA), and Synapxe. The scheme is part of Singapore’s efforts to enhance cybersecurity in the healthcare sector, improve cyber hygiene, and safeguard Singapore’s cyberspace as medical devices become increasingly connected.
Singapore is among the first in the world to have a multi-levelled cybersecurity labelling scheme specifically tailored for medical devices. The CLS(MD) seeks to improve medical device security by incentivising manufacturers to adopt a security-by-design approach while empowering healthcare providers and consumers to make informed decisions about the cybersecurity standards of the medical devices they use.
The CLS(MD) Levels
Under the CLS(MD), medical devices are rated across four levels of cybersecurity provisions. Each level indicates a progressively higher standard of security:
| Level | Requirements |
| Level 1 | The product meets baseline cybersecurity requirements. |
| Level 2 | The product meets enhanced cybersecurity requirements. |
| Level 3 | The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and penetration testing. |
| Level 4 | The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and security evaluation. |
The scope of CLS(MD) applies to medical devices as described in the First Schedule of the Health Product Act (Cap122D, 2008 Rev Ed) and have any of the following characteristics:
- Handles personal identifiable information (PII), clinical data and has the ability to collect, store, process or transfer such data;
- Connects to other devices, systems and services – Has the ability to communicate using wired and/or wireless communication protocols through a network of connections.
Please send any enquiries about CLS(MD) to cls_md@csa.gov.sg.
Development of the CLS(MD): Industry Consultation and Sandbox
The CLS(MD) was developed in consultation with key industry stakeholders, including manufacturers, cybersecurity firms, testing laboratories and industry associations such as the Asia Pacific Medical Technology Association (APACMed) and the Singapore Manufacturing Federation Medical Technology Industry Group (SMF-MTIG). An industry consultation exercise held from 25 January 2023 to 10 March 2023 provided valuable feedback on the proposed framework, operationalisation, and application process of the scheme. The consultation received over 220 responses, helping refine the CLS(MD) framework, particularly regarding Levels 3 and 4, the labelling requirements, and operational processes.
Following the consultation, a Sandbox phase was conducted from October 2023 to July 2024 to test the scheme’s implementation. The sandbox saw participation from 47 applications across 19 manufacturers, allowing the industry to trial the scheme and provide additional feedback. The scheme was further refined based on the feedback received during the Sandbox.
More information can be found in the Industry Consultation and Sandbox.
