Introduction
With health care systems becoming increasingly reliant on connected medical technologies, ensuring that these devices are secure from cyber threats is paramount. Singapore is the first country in the world to develop a multi-level CLS(MD), similar to the Cybersecurity Labelling Scheme for consumer smart devices launched in 2020. The scheme was jointly developed by the Cyber Security Agency of Singapore, the Ministry of Health, the Health Sciences Authority (HSA) and Synapxe, and follows the completion of a sandbox phase in which 47 medical devices from 19 manufacturers were tested and feedback was collected.
Key features of the CLS(MD)
The CLS(MD) has four key features:
- Firmware security: Devices must support secure firmware updates, ensuring that updates are delivered via encrypted channels and that the devices reject downgraded or tampered firmware. This protects against a variety of firmware-based cyber threats.
- Communication protocols: The devices must secure all communications, whether over the internet or local networks, or between devices, to prevent common attacks such as man-in-the-middle interceptions or version downgrades. Devices must also ensure that communication protocols are not vulnerable to known attacks, like Heartbleed or Bluetooth-related threats.
- Access control and privacy protection: Devices are assessed for their ability to handle sensitive personal and clinical data securely. This includes measures like multi-factor authentication and secure access controls to prevent unauthorised access to medical devices or their data.
- Vulnerability disclosure: Manufacturers are required to have a formal vulnerability disclosure policy. This policy ensures that any vulnerabilities found by users or researchers can be reported to the manufacturer and addressed promptly. The HSA integrates this requirement for approved medical devices, adding an extra layer of security assurance.
Scope and requirements of the CLS(MD)
The CLS(MD) applies to medical devices, as defined in the First Schedule of the Singapore Health Products Act, which handle personally identifiable information and clinical data, or are able to connect to other devices, systems, and services. HSA’s cybersecurity requirements are harmonised with the recommendations set by the International Medical Device Regulators Forum.
The scheme comprises four levels, with each additional level reflecting further testing and assessment that the product has undergone. The requirements for each level are as follows:
- Level 1: The product meets baseline cybersecurity requirements.
- Level 2: The product meets enhanced cybersecurity requirements.
- Level 3: The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and penetration testing.
- Level 4: The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and security evaluation.
Conclusion
CLS(MD) will provide more transparency and assurance to consumers and health care providers. The scheme provides a clear pathway for medical device manufacturers to improve the cybersecurity of their products while gaining a competitive advantage in the market. Although manufacturers will face additional challenges and costs, this is part of future-proofing as the medical device industry moves toward more connected and autonomous systems, where security will be an integral aspect of device design and deployment.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2024-227