Three Singapore government agencies have partnered with a local healthtech firm to launch a public consultation proposing a Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)). The proposed scheme responds to the increased risk of cyber attacks on network-connected medical devices and parallels a similar labelling scheme for smart devices adopted by the Cyber Security Agency of Singapore (CSA) in October 2020.
The sponsors of the consultation—CSA, the Ministry of Health, the Health Sciences Authority (HSA) and Integrated Health Information Systems Pte.Ltd.—seek to “improve the visibility of medical devices security, raise overall cyber hygiene levels, and better secure Singapore's cyberspace for both data protection and patient safety” in the healthcare sector.
The consultation period began on 25 January 2023 and ends on 10 March 2023.
The CLS(MD) applies to medical devices described in the First Schedule of the Health Products Act 2007 which satisfy either of the following criteria:
a. Handle personal identifiable information and clinical data and can collect, store, process or transfer that data; or
b. Connect to other devices, systems, and services – i.e., have the ability to communicate using wired and/or wireless communication protocols through a network of connections.
The CLS(MD) covers four cybersecurity levels. The first and lowest level is compulsory as it corresponds to the level already required by HSA for registering and marketing medical devices in Singapore, although the consultation seeks comment on whether certain additional requirements should be added for consistency with CSA’s existing scheme for smart devices. The remaining three levels have more comprehensive requirements and increasing conditions for assessment. Although the three higher levels are proposed to be voluntary, the consultation suggests increasing threats may require future reconsideration.
The CLS(MD) framework can be summarised as follows:
Medical device manufacturers applying for a Level 1 rating must submit a declaration of conformity to the baseline requirements together with supporting evidence for review and approval to CSA or HSA, depending on the class of the device and whether the application is for labelling of a new device or for an already approved device or for renewal of a rating.
Manufacturers applying for a Level 2 rating must submit a declaration of conformity to the baseline requirements and the enhanced requirements together with supporting evidence to CSA for review and approval.
Manufacturers applying for a Level 3 rating must submit the same declaration and supporting evidence to CSA as for Level 2 and must also engage an independent testing lab to conduct (a) software binary analysis of common vulnerabilities and exposures in third party libraries, malware and software weaknesses such as buffer overflow and (b) time-bound black-box penetration testing.
Manufacturers applying for a Level 4 rating must submit to CSA everything required for Level 3 except that the independent testing lab must conduct a white-box security evaluation instead of the black-box penetration testing.
Testing labs performing Level 3 and Level 4 evaluations must satisfy certain international accreditation standards and other standards for quality, impartiality, facilities, methods and technical competency.
Labels must be affixed to the packaging of devices sold to non-qualified medical and dental practitioners (i.e., medical practitioners and dentists not registered under the Medical Registration Act 1997 and the Dental Registration Act 1999, respectively). Labels are optional for devices sold for professional use (i.e., use by or under the supervision of qualified medical and dental practitioners) only. Manufacturers are not required to apply for a label for devices in the market before the CLS(MD) scheme becomes effective.
Labels will be valid for 3 years. Manufacturers must support their devices with security updates throughout the validity period.
Level 1 labels can be renewed via self-declaration submitted to CSA. Labels for Levels 2-4 can only be renewed by submitting new applications as described above.
Labels can be revoked if the manufacturers do not comply with labelling principles and requirements established by CSA or otherwise breach terms established by CSA.
Manufacturers of medical devices sold in Singapore should review the proposed cybersecurity labelling scheme for medical devices and develop criteria to determine which label level they will seek for each of their devices.
OrionW regularly advises clients on cybersecurity matters. For more information about Singapore’s cybersecurity laws, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.