The scheme was launched by Senior Minister of State for Digital Development and Information Janil Puthucheary on Oct 16 (Image Credit: ST Lim Yaohui)
Makers of medical devices can join a new scheme to have their products rated to see if they meet cyber-security standards that guard devices from being compromised.
The voluntary scheme, launched officially on Oct 16, will rate the devices according to their level of cyber-security provisions.
In the hands of a cyber criminal, leaked healthcare data can be exploited for nefarious purposes like extortion, sabotage or causing humiliation.
To avert incidents like one in 2019 where the confidential information of 14,200 people with HIV was stolen and leaked online, it is important to prevent hackers from accessing sensitive health data, said artificial intelligence-powered healthcare company TIIM Healthcare’s chief operating officer, Mr Michael Cheng.
The company joined the scheme to have its key product, aiTriage, assessed and labelled. The tool helps clinicians to identify more quickly patients whose chest pain is a sign of more serious trouble, and is now being used in emergency rooms of local hospitals.
“The data we have includes unique patient identifiers such as their date of birth. For our product specifically, we do record a patient’s clinical parameters like electrocardiogram (test results) and patient history,” said Mr Cheng.
The Cybersecurity Labelling Scheme for Medical Devices was launched at a round-table discussion on internet of things (IOT) security at the Singapore International Cyber Week by Senior Minister of State for Digital Development and Information and Health Janil Puthucheary.
In his speech at the event, Dr Janil said medical devices must be registered with the Health Sciences Authority (HSA) and meet regulatory requirements, including cyber security, before they can be imported, distributed and sold locally. “However, as medical devices become increasingly connected to hospital and home networks and potentially elevating cyber risks, there is a need to take a proactive measure to enhance the cyber-security safeguards for medical devices,” said Dr Janil.
The scheme, a collaboration between the Cyber Security Agency of Singapore (CSA), the Ministry of Health, HSA and national health technology agency Synapxe, was first announced in October 2022.
A nine-month sandbox trial was conducted from October 2023 to July 2024, where medical device manufacturers were invited to put their devices to the test and provide feedback on the scheme.
The scope of the scheme applies to medical devices such as pacemakers, insulin pumps and respiratory ventilators, which handle personal identifiable information and clinical data, or are able to connect to other devices, systems and services.
It has four rating levels.
Products labelled Level 1 would have met baseline cyber-security requirements; Level 2 would have met enhanced cyber-security requirements; and Level 3 would have met the enhanced standards and be required to pass independent third-party software binary analysis and penetration testing.
A Level 4 product similarly would have met enhanced requirements and will be required to pass independent third-party software binary analysis and security evaluation that is at a more stringent level.
The sandbox trial saw 47 applications across all four levels from 19 manufacturers. To date, four applicants have been awarded Level 1 for their devices, while the remaining applications are still being processed. Products submitted for evaluation include pacemakers, neurology devices such as brain implants, and various types of in-vitro diagnostic analysers.
In a joint press release, the four agencies said the scheme has been refined after feedback. The application process and assessment methodology have been made clearer to guide manufacturers on how to meet the minimum requirements.
TIIM Healthcare was among the companies that took part in the sandbox, and its device was rated Level 1. Even though the device is not internet-enabled, Mr Cheng said it was worth undergoing the labelling process to ensure it is secure. “The device still has Bluetooth interfaces that we do deploy, which could potentially expose sensitive information to potential attackers.”
He added that the company has another cloud-based device for triaging chest pain, which will be sent for rating under the cyber-security labelling scheme.
The labels are valid for a maximum of three years, during which the manufacturer will have to support the device with security updates.
Applications for the labelling scheme for medical devices are now open and can be made at the GoBusiness platform.
The cyber-security labelling scheme was first introduced for IOT devices in 2020 in a bid to encourage developers to use cyber security to differentiate themselves, and for consumers to pay closer attention to IOT security. Since its launch, more than 500 IOT devices have received a label.
At the same event, CSA also signed agreements with the Korea Internet and Security Agency and the Germany Federal Office for Information Security to mutually recognise national cyber-security labels with Singapore.
“I would like to thank all our partners for the bilateral mutual recognition agreements (MRAs). These partnerships are important, and we hope to continue to have more of such MRAs over a broader range of devices,” said Dr Janil.
Source: Straits Times © Singapore Press Holdings Limited | Reproduced with permission.