At Singapore International Cyber Week 2022, the Ministry of Health (MOH), Cyber Security Agent of Singapore (CSA), Health Sciences Authority (HSA), and the Integrated Health Information Systems (IHiS) have created the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)]. This follows CSA’s CLS for smart consumer devices, which has made efforts to improve Internet of Things (IoT) security, raising overall cyber hygiene levels, and making Singapore’s cyberspace more secure. The scope of the CLS(MD) applies to medical devices as described in the First Schedule of the Health Product Act (Cap 122D, 208 Rev Ed) and have either of the two following characteristics. Handles personal identifiable information (PII) and clinical data and d has the ability to collect, store, process, or transfer such data. Can connect to other devices, systems, and services. Having the ability to communicate using wired and /or wireless communication protocols through a network of connections.
The framework for CLS (MD) comprises of four cybersecurity levels of 38 clauses. HSA’s current cybersecurity requirements fulfill that of Level 1 when registering any medical devices in Singapore. The rest of the classes will be placed in Level 2. Independent third-party testing is required for Level 3 and 4. Testing Laboratories conducting the independent third-party testing will need to be accredited to ISO 17025 and meet other requirements documented in the consultation paper.
The CLS (MD) labels must be printed or affixed on the packaging of the devices sold to non-qualified medical and or dental practitioners. For professional-use only devices, the printing or affixing of the label will be optional. The validity of the CLS(MD) label shall be three years. During this time the developers are required to support the device with security updates. The label may be revoked during this period if certain conditions are not met or maintained. Before the expiration fo the label, a new CLS(MD) application is required to obtain a new updated one. This process can be initiated three months before the expiration date of the existing label so that the applicant and testing labs will not need to rush. Devices urgently in use may also apply to have the label. The process depends on the CLS(MD) level that is being applied to the device.
Here is a brief description of the four levels. Level one is just security baseline requirements that all levels must meet. Manufacturers need to meet the existing mandatory HSA requirements based on international standards adopted by major MD regulatory bodies (e.g. US FDA, Health Canada, Japan MHLW, TGZ Australia). Level Two has enhanced security requirements such as manufacturers need to meet the titrated from MDS2, Post-market policies and existing CLS standards. Level Three is for software binary analysis and time bound black-box penetration testing. The software of the medical devices, I.e. firmware and mobile applications if available, undergo automated binary analyses o ensure no known critical software weakness, vulnerabilities or malware. The device will also undergo a time bound black-box penetration testing to provide basic level of resistance against common cybersecurity attacks. Black-box penetration test is when the evaluator performs testing using only limited information, I.e. only user guidance manuals that is provided with the device. Level four is for time bound with-box security evaluation. The device will undergo a time bound white-box security evaluation to provide higher level of resistance against cybersecurity attacks. White-box security evaluation is when the evaluator is provided with information on the design and implementation of certain security functionalities, I.e. cryptographic functions. With more information, the evaluator will be able to devise targeted tests and better assess the security functionalities of the device.
MOH, CSA, HSA, and IHiS want the public’s comments and feedback on the framework, operationalization, awarding of labels, validity of labels, current devices in use and the application process of CLS(MD) scheme. The consultation window is from January 25, 2023 to March 3, 2023. Please note that the contents of any written feedback submitted, and the identify of the source, may be disclosed at the conclusion of this consultation. You may request for the feedback provided to be treated with confidence on the grounds that the information is proprietary, confidential, or commercially-sensitive. These requests will be taking into consideration.