The Cyber Security Agency of Singapore (CSA) is extending the Cybersecurity Labelling Scheme (CLS) to medical devices used by hospitals in a bid to shore up the security of internet of things (IoT) devices used in healthcare settings.
Noting that devices are now increasingly connected to hospital and home networks, providing benefits such as real-time monitoring of health status, the CSA said the growing connectivity could increase security risks and compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes.
Under the CLS for medical devices (CLS MD), which was developed together with the Ministry of Health, Health Sciences Authority (HSA) and Integrated Health Information Systems, medical devices are rated based on four levels of cyber security provisions.
Each level corresponds to the level of testing and assessment that the product has undergone. For a start, all HSA-registered medical devices in Singapore are deemed to be compliant with CLS (MD) Level 1, as the registration requirements by the HSA have already incorporated the baseline cyber security requirements defined in Level 1.
For the higher levels in the scheme, a formal consultation with the medical device industry and associations will be held in the coming month to seek feedback on their proposed requirements, including the timeline for implementation. More details on the industry consultation and CLS (MD) registration will be announced later.
Through the new scheme, CSA hopes to incentivise manufacturers to adopt a security-by-design approach to develop more secure products for the medical device industry. The scheme will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cyber security provisions.
The CLS was first launched in 2020 to provide different levels of cyber security ratings to help users make informed choices about the security features of the smart devices they purchase. As of October 2022, more than 200 products – ranging from routers to smart lighting to smart cameras – have been awarded the CLS label.
Separately, Singapore has signed a mutual recognition arrangement (MRA) with Germany’s Federal Office for Information Security (BSI) on the cyber security labels to be issued by both countries.
Under the MRA, smart consumer products issued with Germany’s IT Security Label and Singapore’s CLS will be mutually recognised in either country. Products issued with BSI’s label will be recognised by CSA to have fulfilled CLS Level 2 requirements, while products with CLS Levels 2 and above will be recognised by BSI.
Germany is the second country after Finland to formalise the mutual recognition of national cyber security labels with Singapore. Last year, CSA signed its first memorandum of understanding with the Transport and Communications Agency of Finland to recognise consumer IoT products with Finland’s Cybersecurity Label as having met CLS Level 3 requirements and vice versa.
Read more about cyber security in APAC
- Dell Technologies’ zero-trust reference model starts with defining business controls and having a central control plane that manages all the security aspects of an organisation’s infrastructure.
- The massive data breach that affected more than 10 million Optus customers has cast the spotlight on API security and other factors that contribute to the cyber resilience of organisations in Australia.
- Cohesity’s CISO discusses the challenges of securing data in operational technology systems and what can be done to mitigate security threats.
- Joint centre set up by the Cyber Security Agency of Singapore and a local university will facilitate security testing and train security evaluation talent.