Media Factsheet
The Cyber Security Agency of Singapore (CSA), the Ministry of Health (MOH), Health Sciences Authority (HSA) and Synapxe have jointly developed the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)], a voluntary scheme where medical devices are rated according to their levels of cybersecurity provisions.
In Singapore, medical devices currently must be registered with HSA and meet regulatory requirements, including cybersecurity, before they can be imported, distributed and sold locally. HSA's cybersecurity requirements are harmonised with the recommendations set by the International Medical Device Regulators Forum, a group of international medical device regulators that aims to accelerate global regulatory harmonisation and convergence.
However, as medical devices become increasingly connected to hospital and home networks, potentially elevating cyber risks, there is a need to take a proactive measure to enhance the cybersecurity safeguards for medical devices.
Hence, Singapore developed this “first-in-the-world” multi-levelled CLS(MD), similar to the Cybersecurity Labelling Scheme for consumer smart devices launched in 2020. The scheme seeks to improve medical device security by incentivising manufacturers to adopt a security-by-design approach. It will enable consumers and healthcare providers to make more informed decisions about the security of such devices prior to purchase and usage.
The scope of the CLS (MD) applies to medical devices as defined in the First Schedule of the Singapore Health Products Act and which handle personal identifiable information and clinical data, or are able to connect to other devices, systems and services. Applications for the CLS(MD) are now open and can be made at the GoBusiness platform. The scheme comprises four levels, with each additional level reflecting further testing and assessment that the product has undergone. The requirements for each level are below.
Level |
CLS(MD)'s Requirement |
---|---|
Level 1 |
The product meets baseline cybersecurity requirements. |
Level 2 | The product meets enhanced cybersecurity requirements. |
Level 3 | The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and penetration testing. |
Level 4 | The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and security evaluation. |
The launch of CLS(MD) follows the completion of the sandbox phase from October 2023 to July 2024, where medical device manufacturers were invited to put their medical devices to the test and provide feedback on the scheme. The sandbox received 47 applications across all four levels from 19 manufacturers of devices such as In Vitro Diagnostic Analysers, Software as a Medical Device and more. Based on feedback collected, the requirements and processes of the scheme have been refined, such as providing more clarity on the application process and assessment methodology with clearer templates to guide the industry on how to meet the minimum requirements.
Mr Michael Cheng, Chief Operating Officer of TIIM Healthcare, said, "We are pleased to be the first to achieve Level 1 of the CLS(MD) through the sandbox phase for aiTriage v1, our AI-powered decision support tool that assists clinicians in evaluating patients during chest pain triage. Participating in the sandbox shows our commitment to enhancing cybersecurity in medical technology. As we recognise that cybersecurity is an ongoing journey, we are also working towards ISO 27001 certification to further strengthen the cybersecurity of our products."
The CLS(MD) was developed in consultation with industry, including the Asia Pacific Medical Technology Association (APACMed) and Singapore Manufacturing Federation – Medical Technology Industry Group (SMF - MTIG), with representatives from multinational corporations and small and medium enterprises. For further information such as the finalised publications, including the templates and more details on each level, please visit www.csa.gov.sg/cls-md or write to cls_md@csa.gov.sg.