Singapore’s newly launched Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) marks a proactive leap in cybersecurity for healthcare technology, aiming to safeguard patient data while enhancing trust in digital healthcare solutions.

The Cyber Security Agency of Singapore (CSA), along with the Ministry of Health (MOH), Health Sciences Authority (HSA), and Synapxe, has unveiled the Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)). This pioneering, voluntary program rates medical devices based on cybersecurity provisions, allowing consumers and healthcare providers to make informed decisions on device security prior to use. CLS(MD) is aligned with the global cybersecurity framework and serves as a proactive measure to safeguard medical devices as they become more integrated with digital networks, which can elevate cyber risks.

In Singapore, medical devices must be registered with HSA, meeting specific regulatory requirements, including cybersecurity standards, before they can be imported, distributed, or sold. The HSA’s cybersecurity criteria adhere to guidelines from the International Medical Device Regulators Forum, a global coalition dedicated to aligning regulatory practices. However, with the increased interconnectivity of medical devices to networks at hospitals and homes, a heightened approach to cybersecurity is essential.

The CLS(MD), which is “first-in-the-world” for medical devices, was modelled after Singapore’s successful Cybersecurity Labelling Scheme for consumer smart devices launched in 2020. The scheme encourages manufacturers to adopt a security-by-design approach, which could enhance the safety and security of healthcare technology. As a representative explained, “The scheme provides a framework for both consumers and healthcare providers to assess the security standards of medical devices, fostering an environment where cybersecurity is prioritized right from the design phase.”

The CLS(MD) applies to medical devices outlined in the Singapore Health Products Act that handle personally identifiable information and clinical data or that can connect with other systems. Applications for the scheme are now open through Singapore’s GoBusiness platform. The scheme comprises four levels of security certification:

– Level 1: Devices meet baseline cybersecurity requirements.

– Level 2: Devices meet enhanced cybersecurity requirements.

– Level 3: Devices meet enhanced requirements and undergo independent third-party binary analysis and penetration testing.

– Level 4: Devices meet enhanced requirements and pass independent third-party binary analysis and comprehensive security evaluation.

Following a sandbox phase from October 2023 to July 2024, the CLS(MD) requirements were refined based on feedback from participating medical device manufacturers. During this phase, 47 applications were submitted by 19 manufacturers across the four levels for devices such as in vitro diagnostic analyzers and software-as-a-medical-device (SaMD) tools. Based on industry input, the application process and assessment methods were clarified, with templates provided to guide companies in meeting the required standards.

Michael Cheng, Chief Operating Officer of TIIM Healthcare, expressed his satisfaction with achieving Level 1 certification for TIIM’s aiTriage v1, an AI-powered decision-support tool for chest pain assessment. “Participating in the sandbox phase underscores our dedication to advancing cybersecurity in medical technology,” Cheng shared, noting that TIIM Healthcare is also working towards ISO 27001 certification for further security enhancements.

The CLS(MD) was developed in collaboration with industry bodies such as the Asia Pacific Medical Technology Association (APACMed) and the Singapore Manufacturing Federation – Medical Technology Industry Group (SMF – MTIG). These consultations included input from both multinational corporations and small-to-medium enterprises, ensuring the scheme addresses diverse needs within the medical device sector.

To access further details, including application templates and specifics for each certification level, industry participants can visit the CSA website at www.csa.gov.sg/cls-md or contact them directly at cls_md@csa.gov.sg.

 About the Cyber Security Agency of Singapore (CSA)

Founded in 2015, the CSA works to secure Singapore’s cyberspace, supporting national security, enabling the digital economy, and protecting Singapore’s digital way of life. As part of the Prime Minister’s Office, managed by the Ministry of Communications and Information, CSA collaborates with sector leads to shield Singapore’s Critical Information Infrastructure. Its initiatives span from cybersecurity education to international partnerships, bolstering a skilled cybersecurity workforce and promoting regional cybersecurity initiatives. More information is available at www.csa.gov.sg.

 About the Health Sciences Authority (HSA)

The HSA plays a vital role in safeguarding health and safety in Singapore through its regulation of medical, pharmaceutical, and scientific products. HSA’s Health Products Regulation Group ensures medical devices meet rigorous standards for safety, quality, and efficacy, supporting Singapore’s biomedical development and reinforcing public trust in healthcare technology. Visit www.hsa.gov.sg for more information.

 About Synapxe

As Singapore’s HealthTech agency, Synapxe is dedicated to transforming healthcare by developing innovative technological solutions that serve millions. By linking people and systems, Synapxe envisions a healthier Singapore, creating accessible health solutions for diverse populations. To learn more, visit www.synapxe.sg.

The CLS(MD) represents Singapore’s dedication to a secure digital health environment, aiming to reinforce trust in medical technology, protect patient data, and set a benchmark for global healthcare cybersecurity standards.

Source: Synapxe