Singapore: Industry consultation for cybersecurity labelling scheme for medical devices in progress

27 Feb 2023 4 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

Industries Healthcare & Life Sciences

In brief

As part of the government's efforts to improve the visibility of medical devices security, raise overall cyber hygiene levels and better secure Singapore's cyberspace, the Cybersecurity Labelling Scheme for Medical Devices ("CLS (MD)") was announced in 2022.

Further details on the CLS (MD) have been released in a consultation paper.

In more detail

Background

On 26 January 2023, a consultation paper setting out the proposed CLS (MD) framework was published for industry consultation.

As reported in our previous alert, the CLS (MD) is a joint initiative by the Ministry of Health, Cyber Security Agency of Singapore (CSA), Health Sciences Authority (HSA) and the Integrated Health Information Systems, and was announced at the Singapore International Cyber Week 2022.

More details on the CLS (MD) have since been published by the collaborating agencies.

Application of the CLS (MD)

The CLS (MD) will apply to all medical devices that handle personal identifiable information and clinical data; have the ability to collect, store, process or transfer such data; and have the ability to connect to other devices, systems and services (i.e., communicate using wired and/or wireless communication protocols).

Cybersecurity labels for such medical devices will be issued by the CSA and must be affixed to the packaging of medical devices that are sold to non-qualified practitioners. Professional-use medical devices are exempt from labelling requirements as there are other measures in place for professional bodies purchasing such devices.

Overview of requirements

The CLS (MD) comprises four cybersecurity levels, with Level 4 being the highest security rating and having the most comprehensive requirements. To progress to the next level, the medical device has to undergo additional tests and evaluation.

Other than the Level 1 requirements, all higher levels in the CLS (MD) are voluntary. However, requirements may be incrementally introduced due to rising cybersecurity risks.

An overview of the four cybersecurity levels are set out below:

Level 1: baseline security requirements

Level 1 consists of the cybersecurity requirements used by the HSA when reviewing medical devices seeking registration in Singapore.

In addition to these requirements that are already used by the HSA, two further requirements, which are deemed as basic cybersecurity hygiene practice and which are requirements in the Cybersecurity Labelling Scheme for Internet of Things devices, are being considered for inclusion into Level 1 for the CLS (MD).

In summary, these additional requirements are the following:

Where passwords are used other than the factory default, the medical device passwords shall be unique per device or defined by the user.
The device shall have a mechanism available which makes brute force attacks on authentication mechanisms impractical.

Level 2: enhanced security requirements

To obtain a Level 2 label, in addition to complying with the Level 1 requirements, the manufacturer must complete and submit a declaration of conformity for 38 security requirements, which will be reviewed by the CSA prior to approval.

Level 3: software binary analysis and time bound black-box penetration testing

To obtain a Level 3 label, in addition to complying with the Level 2 requirements, the medical devices have to undergo a software binary analysis and timebound black-box penetration testing, conducted by a testing laboratory (which must meet certain requirements).

Level 4: timebound white-box security evaluation

To obtain a Level 4 label, in addition to complying with the Level 3 requirements, the medical devices have to undergo a timebound white-box security evaluation by a testing laboratory.

Validity of label

The Level 1 label is valid for a period of three years, during which the developer is required to support the device with security updates.

The Level 2, 3 and 4 labels are valid for the period in which the developer will support the device with security updates, up to a maximum of three years.

*****

The industry consultation is presently ongoing until 3 March 2023.

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

© 2023 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Ren Jun Lim
Principal
Singapore
Read my Bio
ren.jun.lim@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.