Listen

CLS(MD) Consultation

Industry Consultation for the Proposed Framework and Implementation of the Cybersecurity Labelling Scheme for Medical Devices, CLS(MD)

About Approved Labs CLS(MD) Consultation CLS(MD) FAQs CLS(MD) Publications CLS(MD) Sandbox CLS(MD) Updates

RESPONSES FOR THE INDUSTRY CONSULTATION FOR THE PROPOSED CYBERSECURITY LABELLING SCHEME FOR MEDICAL DEVICES

23 Aug 2023

The Ministry of Health (MOH), Cyber Security Agency of Singapore (CSA), Health Sciences Authority (HSA), and the Synapxe (formerly known as IHiS) (held an industry consultation exercise from 25 January 2023 to 10 March 2023 on the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)] covering topics on the proposed framework, operationalisation, cybersecurity label, and the application process. The proposed specifications were circulated to stakeholders comprising manufacturers, cybersecurity firms, testing laboratories, distributors, local Small and Medium-sized Enterprises, and relevant industry associations.

On 27 April 2023, an industry consultation meeting was held with about 30 representatives from 15 different manufacturers who are part of the two industry associations, Asia Pacific Medical Technology Association (APACMed) and Singapore Manufacturing Federation Medical Technology Industry Group (SMF-MTIG). The purpose was to address the feedback received from the industry consultation paper.

Summary of responses

The industry was generally supportive of the CLS(MD) scheme and agreed that the initiative would help to raise the overall level of cybersecurity for medical devices. Majority of the responses and feedback requested for further clarifications on the proposed requirements and implementation details. In summary, over 220 responses via written comments, email enquiries and face-to-face consultation were received.

Figure 1. Breakdown of responses received on the proposed Cybersecurity Labelling Scheme for Medical Devices

CLS MD Consultation Feedback

Of the responses received, the top three topics that the industry was concerned with were the: (i) Framework for Levels 3 and 4, (ii) CLS(MD) label and (iii) Operationalisation.

I. Framework for Levels 3 and 4

Industry representatives were supportive of the overarching principles of the framework for Levels 3 and 4 and sought greater clarity on the test methodologies and duration. More details on the conformity checklist verification, test reports to be submitted by the test laboratories, and logistical arrangement for the testing of the devices were requested.

II. CLS(MD) label

On the proposed CLS(MD) label requirements, the industry representatives requested for more guidance on the labels to be affixed on medical devices. These included: (i) when should the labels be affixed to the medical devices, (ii) how the label should be shown for Software as a Medical Device; (iii) the label renewal process, and (iv) change notification process.

III. Operationalisation

On the proposed operationalisation of CLS(MD) scheme, the industry representatives requested for more details of the certification process. These included the: (i) key roles within the labelling scheme, (ii) turn-around time for applications, (iii) application fees; and (iv) applicability of CLS(MD) requirements to devices which are brought in via the Special Access Routes (SAR). They commented that the CLS(MD) should be aligned with the purchasing requirements for public healthcare institutions.

Detailed responses to key comments

Please refer to Annex A for the detailed responses to the key comments. The full list of organisations that responded to the consultation can be found in Annex B.

Next Steps

The CLS(MD) will be a voluntary scheme, and both new and existing devices which are in scope of the CLS(MD) can apply for the label. The CLS(MD) will be aligned with the purchasing requirements of the public healthcare institutions in the future. The CLS(MD) label will be valid for a period of up to 3 years depending on the support period, and the label can be renewed nearing expiry. This is to ensure that devices remain compliant with CLS(MD) requirements amidst the continuously evolving threat landscape. As SAR devices will be subjected to cybersecurity requirements if they are to be connected to the healthcare network, manufacturers of these devices are also encouraged to apply for the CLS(MD).

Arising from the comments raised, it was agreed at the industry consultation meeting on 27 April 2023 that a 9-month sandbox would be rolled out as the next phase of implementation. Industry representatives were supportive of the sandbox, which would allow the industry to better understand the various levels of the CLS(MD) framework. The scheme requirements will be further consulted with the test laboratories and feedback received during the sandbox would be gathered to further refine the requirements of the CLS(MD) prior to scaling the scheme up for wider adoption after the sandbox. The sandbox is planned to start in the 4th quarter of 2023.

Manufacturers are invited to indicate their interest in the upcoming CLS(MD) Sandbox. More details on the CLS(MD) Sandbox will be gradually made available at https://www.csa.gov.sg/cls-md-sandbox and interested manufacturers who would like to participate in the sandbox can register their interest via https://www.go.gov.sg/cls-md-sandbox-signup.

Conclusion

The Ministry of Health, Cyber Security Agency of Singapore, Health Sciences Authority, and Synapxe would like to thank all respondents who have actively engaged with us during the industry consultations which has allowed the team to better understand the concerns and priorities of the industry.

For further enquires, please write in to cls_md@csa.gov.sg.

Industry Consultation for the Proposed Framework and Implementation of the Cybersecurity Labelling Scheme for Medical Devices, CLS(MD)

Background

Medical devices are now increasingly connected to hospital and home networks to provide better care for our patients. However, this connectivity also increases the surface area for malicious actors to attack, which could potentially compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes.

2. It was announced at the Singapore International Cyber Week 2022 that the Ministry of Health (MOH), Cyber Security Agency of Singapore (CSA), Health Sciences Authority (HSA), and Synapxe (formerly known as Integrated Health Information Systems) have collaborated to develop and roll out the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)]. This is in line with CSA’s CLS for smart consumer devices, which has similarly been launched to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace.

3. The CLS(MD) was also developed in consultation with industry representatives from both the cybersecurity and medical technology communities.

4. The scope of the CLS(MD) applies to medical devices as described in the First Schedule of the Health Product Act (Cap122D, 2008 Rev Ed) and have any of the following characteristics:

i. Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data;

ii. Connects to other devices, systems, and services - Has the ability to communicate using wired and / or wireless communication protocols through a network of connections.

Key Items Under Review

5. The framework for CLS(MD) comprises four (4) cybersecurity levels of 38 clauses. HSA's current cybersecurity requirements fulfil that of Level 1 when registering any medical devices in Singapore. The rest of the clauses will be placed in Level 2. Independent third-party testing is required for Levels 3 and 4.

6. The testing laboratories to conduct the independent third-party testing are to be accredited to ISO 17025 and meet other requirements documented in the consultation paper.

7. The CLS(MD) labels must be printed or affixed on the packaging of devices that are sold to non-qualified medical or dental practitioners. For professional-use only devices, the printing or affixing of the label shall be optional.

8. The validity of the CLS(MD) label shall be three (3) years, during which the developer is required to support the device with security updates. The label may be revoked during the period if certain conditions are not met. Before the expiry of the label, a new CLS(MD) application is required to obtain a new label. This process can be initiated three (3) months before the expiry date of the existing label.

9. Devices currently in use may also apply to have the label. The process depends on the CLS(MD) level that is being applied to. More details of this are provided in the consultation paper.

Your Feedback is Important

10. MOH, CSA, HSA, and IHiS welcome your comments and feedback on the framework, operationalisation, awarding of labels, validity of labels, current devices in use and the application process of CLS(MD) scheme. The consultation window will be from 25 January 2023 to 10 March 2023.

11. Please note that the contents of any written feedback submitted, and the identity of the source, may be disclosed at the conclusion of this consultation. You may request for the feedback provided to be treated with confidence on grounds that the information is proprietary, confidential or commercially-sensitive. Such requests will be taken into consideration.

12. Please email your feedback using the prescribed template to certification@csa.gov.sg by 10 March 2023, 1700 hrs. If you have any clarifications or queries, please also email cls_md@csa.gov.sg.

Template