As cybersecurity risks continue to proliferate, Singapore has turned its attention to the cybersecurity of medical devices. Currently, medical devices must be registered with the Health Sciences Authority (“HSA“) and meet regulatory requirements, including cybersecurity requirements, before they can be imported, distributed and sold locally. However, medical devices are becoming more digitally connected to hospital and home networks, raising the need to enhance their cybersecurity safeguards.
To address this, the Cyber Security Agency of Singapore, the Ministry of Health, HSA and Synapxe have jointly developed the Cybersecurity Labelling Scheme for Medical Devices (“CLS(MD)“), a voluntary scheme where medical devices are rated according to their levels of cybersecurity provisions.
This first-in-the-world multi-levelled CLS(MD) seeks to improve the cybersecurity of medical devices by encouraging manufacturers to adopt a security-by-design approach. The labelling scheme also allows healthcare providers and consumers to make more informed decisions from a security perspective about the medical devices they purchase and use.
The CLS(MD) applies to medical devices as defined in the First Schedule of the Singapore Health Products Act, and which handle personal identifiable information and clinical data, or are able to connect to other devices, systems and services. The scheme comprises four levels to reflect the testing and assessment that the product has undergone:
- Level 1: The product meets baseline cybersecurity requirements.
- Level 2: The product meets enhanced cybersecurity requirements.
- Level 3: The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and penetration testing.
- Level 4: The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and security evaluation.
Click on the following link for more information:
- CSA Press Statement titled “Launch of Cybersecurity Labelling Scheme for Medical Devices” (available on the CSA website at www.csa.gov.sg)
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.