When deciding which medical devices to procure, healthcare providers often consider cost, safety standards and whether they can perform the clinical task(s) intended. However, with medical devices increasingly being connected to hospitals or home networks and used to provide patient care or monitoring, cybersecurity should also be included as part of the factors to consider.
While connected medical devices bring greater convenience – particularly in real-time monitoring of a patient's health status and collaboration with other healthcare providers – the increased connectivity brings with it greater cybersecurity risks. Such risks could potentially compromise patients' personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes.
Joint development of the CLS (MD)
The Ministry of Health, Cyber Security Agency of Singapore, Health Sciences Authority (HSA), and Integrated Health Information Systems have jointly developed the Cybersecurity Labelling Scheme for Medical Devices (CLS [MD]). This was announced at the Singapore International Cybersecurity Week on 20 October 2022.
CLS (MD) enables healthcare providers and consumers to identify medical devices with better in-built security and thus make better-informed purchasing decisions. In doing so, the scheme incentivises manufacturers to adopt a security-by-design approach and to develop more cyber-secure products for the medical device industry.
Under CLS (MD), medical devices are rated according to their levels of cybersecurity provisions. It was developed in close consultation with the manufacturers, including multinational corporations and small and medium-sized enterprises. CLS (MD) will be applicable to medical devices that handle personal identifiable information and clinical data, or are able to connect to other devices, systems and services, as defined in the First Schedule of the Health Product Act.1 In other words, whether a device can or should be considered under CLS (MD), it must first be required to be registered with HSA. There is no change to this regulatory requirement under CLS (MD). Devices that are currently not required to be registered with HSA, such as smartwatches, do not fall under the ambit of CLS (MD) even though they may store users' health information.
About CLS (MD)
CLS (MD) comprises four levels of rating. Each additional level represents further assessment and/or testing that the product has undergone.
The requirements for each level are as follows:
For a start, all new medical devices that are registered with HSA will be deemed to have achieved the Level 1 rating.
For higher levels of the scheme, a formal consultation with the medical device industry and associations was held in early 2023 to seek feedback on their proposed requirements, including the timeline for implementation. More details about CLS (MD), including how to use the label to guide your device procurement and what to do with existing devices, will be announced in due course.
Next stage
CLS (MD) signals a step forward in acknowledging the crucial role of cybersecurity in the healthcare and medical industry. With the increased digitalisation of healthcare delivery, it is timely to take a proactive approach to ensure that Singapore's medical devices are secured, to protect the health and safety of patients.