Singapore is taking a major step
forward in healthcare cybersecurity with the introduction of the Cybersecurity
Labelling Scheme for Medical Devices (CLS-MD). This initiative, developed
by the Cyber Security Agency (CSA), Ministry of Health (MOH), Health
Sciences Authority (HSA), and Synapxe, is a voluntary scheme aimed
at classifying medical devices by their cybersecurity safeguards. This new
measure will empower healthcare providers and consumers to make more informed
decisions based on the security profile of the devices they intend to use.
Understanding the Scope and Levels of
CLS-MD
The CLS-MD aims to tackle the
growing cybersecurity risks that arise as medical devices become increasingly
connected to networks. By encouraging manufacturers to adopt a “security-by-design”
approach, this initiative aims to mitigate risks of data breaches and ensure
the safety of medical device operations.
The scheme applies to any medical
device that processes personal or clinical data or connects to an external
system, in accordance with Singapore’s Health Products Act. There are
four cybersecurity levels under CLS-MD, reflecting the depth and rigor of
cybersecurity safeguards:
- Level 1: Meets baseline
cybersecurity requirements.
- Level 2: Adds enhanced
protections beyond basic requirements.
- Level 3: Requires
third-party analysis, including software binary analysis and penetration
testing.
- Level 4: Involves
comprehensive third-party security evaluations.
These four levels help clearly
communicate the extent of cybersecurity protections built into each device,
providing healthcare providers and consumers with valuable information for
selecting secure medical technology.
Sandbox Phase and Industry
Collaboration
The CLS-MD was developed and refined
through a sandbox phase, which took place between October 2023 and
July 2024. During this trial phase, 19 manufacturers participated,
submitting 47 applications to test the scheme’s effectiveness and
provide feedback. This collaborative effort led to important updates, such as
more refined assessment processes, clearer application templates, and
streamlined guidelines to ensure that manufacturers can meet security standards
more effectively.
The sandbox was a vital component of
CLS-MD’s development, allowing stakeholders to identify pain points and adjust
the scheme accordingly, resulting in a more efficient and transparent
certification process.
How CLS-MD Benefits Consumers and the
Medical Sector
For consumers and healthcare
providers, CLS-MD offers the ability to evaluate the cybersecurity of medical
devices with more confidence. The scheme’s tiered labelling system provides an
easy-to-understand framework that highlights the different levels of security
for various devices, making it easier to identify which products have undergone
thorough cybersecurity scrutiny.
Moreover, for manufacturers,
adopting CLS-MD is an opportunity to demonstrate a commitment to security and
stand out in an increasingly competitive marketplace. The initiative also helps
align Singapore’s medical device cybersecurity practices with international
standards, promoting a safer environment for healthcare innovation.
For more details on the CLS-MD
initiative, you can read the official announcement here.
