As part of the government’s efforts to improve the visibility of medical devices security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace, the Cybersecurity Labelling Scheme for Medical Devices (“CLS (MD)”) was announced in 2022.
Further details on the CLS (MD) have been released in a consultation paper.
In more detail
On 26 January 2023, a consultation paper setting out the proposed CLS (MD) framework was published for industry consultation.
As reported in our previous alert, the CLS (MD) is a joint initiative by the Ministry of Health, Cyber Security Agency of Singapore (CSA), Health Sciences Authority (HSA) and the Integrated Health Information Systems, and was announced at the Singapore International Cyber Week 2022.
More details on the CLS (MD) have since been published by the collaborating agencies.
Application of the CLS (MD)
The CLS (MD) will apply to all medical devices that handle personal identifiable information and clinical data; have the ability to collect, store, process or transfer such data; and have the ability to connect to other devices, systems and services (i.e., communicate using wired and/or wireless communication protocols).
Cybersecurity labels for such medical devices will be issued by the CSA and must be affixed to the packaging of medical devices that are sold to non-qualified practitioners. Professional-use medical devices are exempt from labelling requirements as there are other measures in place for professional bodies purchasing such devices.
Overview of requirements
The CLS (MD) comprises four cybersecurity levels, with Level 4 being the highest security rating and having the most comprehensive requirements. To progress to the next level, the medical device has to undergo additional tests and evaluation.
Other than the Level 1 requirements, all higher levels in the CLS (MD) are voluntary. However, requirements may be incrementally introduced due to rising cybersecurity risks.
An overview of the four cybersecurity levels are set out below:
Level 1: baseline security requirements
Level 1 consists of the cybersecurity requirements used by the HSA when reviewing medical devices seeking registration in Singapore.
In addition to these requirements that are already used by the HSA, two further requirements, which are deemed as basic cybersecurity hygiene practice and which are requirements in the Cybersecurity Labelling Scheme for Internet of Things devices, are being considered for inclusion into Level 1 for the CLS (MD).
In summary, these additional requirements are the following:
- Where passwords are used other than the factory default, the medical device passwords shall be unique per device or defined by the user.
- The device shall have a mechanism available which makes brute force attacks on authentication mechanisms impractical.
Level 2: enhanced security requirements
To obtain a Level 2 label, in addition to complying with the Level 1 requirements, the manufacturer must complete and submit a declaration of conformity for 38 security requirements, which will be reviewed by the CSA prior to approval.
Level 3: software binary analysis and time bound black-box penetration testing
To obtain a Level 3 label, in addition to complying with the Level 2 requirements, the medical devices have to undergo a software binary analysis and timebound black-box penetration testing, conducted by a testing laboratory (which must meet certain requirements).
Level 4: timebound white-box security evaluation
To obtain a Level 4 label, in addition to complying with the Level 3 requirements, the medical devices have to undergo a timebound white-box security evaluation by a testing laboratory.
Validity of label
The Level 1 label is valid for a period of three years, during which the developer is required to support the device with security updates.
The Level 2, 3 and 4 labels are valid for the period in which the developer will support the device with security updates, up to a maximum of three years.
The industry consultation is presently ongoing until 3 March 2023.
For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.
© 2023 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.