Singapore extends cyber security labelling scheme to medical devices

The Cyber Security Agency of Singapore (CSA) is extending the Cybersecurity Labelling Scheme (CLS) to medical devices used by hospitals in a bid to shore up the security of internet of things (IoT) devices used in healthcare settings.

Noting that devices are now increasingly connected to hospital and home networks, providing benefits such as real-time monitoring of health status, the CSA said the growing connectivity could increase security risks and compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes.

Under the CLS for medical devices (CLS MD), which was developed together with the Ministry of Health, Health Sciences Authority (HSA) and Integrated Health Information Systems, medical devices are rated based on four levels of cyber security provisions.

Each level corresponds to the level of testing and assessment that the product has undergone. For a start, all HSA-registered medical devices in Singapore are deemed to be compliant with CLS (MD) Level 1, as the registration requirements by the HSA have already incorporated the baseline cyber security requirements defined in Level 1.

For the higher levels in the scheme, a formal consultation with the medical device industry and associations will be held in the coming month to seek feedback on their proposed requirements, including the timeline for implementation. More details on the industry consultation and CLS (MD) registration will be announced later.

Through the new scheme, CSA hopes to incentivise manufacturers to adopt a security-by-design approach to develop more secure products for the medical device industry. The scheme will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cyber security provisions.

The CLS was first launched in 2020 to provide different levels of cyber security ratings to help users make informed choices about the security features of the smart devices they purchase. As of October 2022, more than 200 products – ranging from routers to smart lighting to smart cameras – have been awarded the CLS label.

Separately, Singapore has signed a mutual recognition arrangement (MRA) with Germany’s Federal Office for Information Security (BSI) on the cyber security labels to be issued by both countries.

Under the MRA, smart consumer products issued with Germany’s IT Security Label and Singapore’s CLS will be mutually recognised in either country. Products issued with BSI’s label will be recognised by CSA to have fulfilled CLS Level 2 requirements, while products with CLS Levels 2 and above will be recognised by BSI.

Germany is the second country after Finland to formalise the mutual recognition of national cyber security labels with Singapore. Last year, CSA signed its first memorandum of understanding with the Transport and Communications Agency of Finland to recognise consumer IoT products with Finland’s Cybersecurity Label as having met CLS Level 3 requirements and vice versa.