Endpoint Security , Geo Focus: Asia , Geo-Specific
Singapore to Affix Cyber Safety Labels to Medical Devices
Health Services Authority Labels to Show 4 Levels of Cybersecurity AssuranceSingapore launched a voluntary plan to assign cybersecurity ratings to medical devices to help healthcare institutions make informed choices and protect their networks and patient data from cyberattacks.
See Also: An MDR Case Study: Protecting Your Valuable Health Assets with Innovative Cybersecurity
The Cyber Security Agency of Singapore said Wednesday the new Cybersecurity Labeling Scheme for Medical Devices seeks to improve medical device security by "incentivizing manufacturers to adopt a security-by-design approach."
The rating system applies to medical devices and equipment that can be connected to other devices, systems and services, as well as those that handle personally identifiable information and clinical data.
The agency said cybersecurity labels assigned to medical devices will expires after three years, and must be renewed by manufacturers . Medical devices must undergo testing by independent ISO 17025-accredited testing laboratories prior to receiving certification. The agency can revoke labels if the manufacturer does not comply with cybersecurity requirements associated with each label.
The Cyber Security Agency began working on the rating system after seeking public comment in January 2023.
CSA and Singapore's Ministry of Health held a sandbox phase between October 2023 and July 2024 and invited dozens of medical device manufacturers to undergo cybersecurity testing and provide feedback.
"The trial has provided critical insights and very useful feedback from the medical device manufacturers," said minister of state for Health Janil Puthucheary. "This proactive engagement has been crucial in honing the scheme, refining how it works, setting a solid foundation for its broader implementation."
Addressing a gathering at the International IoT Security Roundtable Event Wednesday, Puthucheary said cybersecurity labeling is built on a successful similar program for smart connected devices launched in 2020.
According to the agency, medical devices undergoing cybersecurity testing will be assigned one of four ratings. Level 1 rating applies to devices that fulfill baseline cybersecurity requirements, level 2 applies to those that meet enhanced cybersecurity requirements, level 3 to those that pass independent third-party software binary analysis and penetration testing, and level 4 applies to devices that pass independent third-party software binary analysis and security evaluation.
To be approved for public use, medical devices must to be registered with the Health Services Authority and meet basic cybersecurity requirements, similar to Level 1 requirement under the voluntary labeling scheme.
Puthucheary said the World Health Organization and the Global Digital Health Partnership will soon publish their Guidance for Medical Device Cybersecurity based on Singapore's voluntary labeling scheme requirements. "This guidance note will be used to guide medical device manufacturers and healthcare delivery organizations worldwide on cybersecurity features to consider when developing and deploying medical devices," he said.
In the U.S., the Food and Drug Administration has also been working to raise cybersecurity standards for medical devices. A policy that went into effect last year for the FDA to "refuse to accept" premarket submissions for new medical devices if they lack required cybersecurity details aims to also improve the state of legacy devices in the future as they age out (see: How FDA's New Policy Aims to Improve Medical Device Security).