Search for:

Singapore: Industry consultation for cybersecurity labelling scheme for medical devices

By 4 Mins Read

In brief

As part of the government’s efforts to improve the visibility of medical devices security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace, the Cybersecurity Labelling Scheme for Medical Devices (“CLS (MD)”) was announced in 2022.

Further details on the CLS (MD) have been released in a consultation paper.

In more detail

Background

On 26 January 2023, a consultation paper setting out the proposed CLS (MD) framework was published for industry consultation.

As reported in our previous alert, the CLS (MD) is a joint initiative by the Ministry of Health, Cyber Security Agency of Singapore (CSA), Health Sciences Authority (HSA) and the Integrated Health Information Systems, and was announced at the Singapore International Cyber Week 2022. 

More details on the CLS (MD) have since been published by the collaborating agencies.

Application of the CLS (MD)

The CLS (MD) will apply to all medical devices that handle personal identifiable information and clinical data; have the ability to collect, store, process or transfer such data; and have the ability to connect to other devices, systems and services (i.e., communicate using wired and/or wireless communication protocols).

Cybersecurity labels for such medical devices will be issued by the CSA and must be affixed to the packaging of medical devices that are sold to non-qualified practitioners. Professional-use medical devices are exempt from labelling requirements as there are other measures in place for professional bodies purchasing such devices.

Overview of requirements

The CLS (MD) comprises four cybersecurity levels, with Level 4 being the highest security rating and having the most comprehensive requirements. To progress to the next level, the medical device has to undergo additional tests and evaluation.

Other than the Level 1 requirements, all higher levels in the CLS (MD) are voluntary. However, requirements may be incrementally introduced due to rising cybersecurity risks.

An overview of the four cybersecurity levels are set out below:

Level 1: baseline security requirements

Level 1 consists of the cybersecurity requirements used by the HSA when reviewing medical devices seeking registration in Singapore.

In addition to these requirements that are already used by the HSA, two further requirements, which are deemed as basic cybersecurity hygiene practice and which are requirements in the Cybersecurity Labelling Scheme for Internet of Things devices, are being considered for inclusion into Level 1 for the CLS (MD).

In summary, these additional requirements are the following:

  • Where passwords are used other than the factory default, the medical device passwords shall be unique per device or defined by the user.
  • The device shall have a mechanism available which makes brute force attacks on authentication mechanisms impractical.

Level 2: enhanced security requirements

To obtain a Level 2 label, in addition to complying with the Level 1 requirements, the manufacturer must complete and submit a declaration of conformity for 38 security requirements, which will be reviewed by the CSA prior to approval.

Level 3: software binary analysis and time bound black-box penetration testing

To obtain a Level 3 label, in addition to complying with the Level 2 requirements, the medical devices have to undergo a software binary analysis and timebound black-box penetration testing, conducted by a testing laboratory (which must meet certain requirements).

Level 4: timebound white-box security evaluation

To obtain a Level 4 label, in addition to complying with the Level 3 requirements, the medical devices have to undergo a timebound white-box security evaluation by a testing laboratory.

Validity of label

The Level 1 label is valid for a period of three years, during which the developer is required to support the device with security updates.

The Level 2, 3 and 4 labels are valid for the period in which the developer will support the device with security updates, up to a maximum of three years.

*****

The industry consultation is presently ongoing until 3 March 2023.

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

LOGO_Wong&Leow_Singapore

© 2023 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Categories:
Author

Ren Jun Lim is a principal with Baker McKenzie Wong & Leow. He represents local and international clients in both contentious and non-contentious intellectual property matters. He also advises on a full range of healthcare, as well as consumer goods-related legal and regulatory issues. Ren Jun co-leads Baker McKenzie Wong & Leow's Healthcare as well as Consumer Goods & Retail industry groups. He sits on the Law Society of Singapore IP Committee and on the Executive Committee of the Association of Information Security Professionals. He is also a member of the Vaccines Working Group, Singapore Association of Pharmaceutical Industries, a member of the International Trademark Association, as well as a member of the Regulatory Affairs Professionals Association. Ren Jun is ranked in the Silver tier for Individuals: Enforcement and Litigation and Individuals: Prosecution and Strategy, and a recommended lawyer for Individuals: Transactions by WTR 1000, 2020. He is also listed in Asia IP's Best 50 IP Expert, 2020, recognised as a Rising Star by Managing IP: IP Stars, 2019 and one of Singapore's 70 most influential lawyers aged 40 and under by Singapore Business Review, 2016. Ren Jun was acknowledged by WTR 1000 as a "trademark connoisseur who boasts supplementary knowledge of regulatory issues in the consumer products industry." He was also commended by clients for being "very responsive to enquiries and with a keen eye for detail, he is extremely hands-on. His meticulous and in-depth approach to strategising is key to the excellent outcomes we enjoy."

Related Posts

Write A Comment