Trial to rate medical devices based on cyber security to be launched on Oct 20

SINGAPORE - As medical devices become increasingly connected to hospital and home networks, there have been growing fears that life-saving devices such as pacemakers and implantable defibrillators could be hacked, with devastating consequences.

To better guard against such vulnerabilities, Singapore is exploring an initiative to rate medical devices according to their cyber-security provisions. Other examples of devices include insulin pumps, respiratory ventilators and radiological imaging devices like X-rays and CT scanners.

It is hoped that the move can help consumers and healthcare providers identify and select medical devices with better in-built cyber security, said Senior Minister of State for Communications and Information Janil Puthucheary.

At a round-table discussion on Internet of Things (IOT) security at the Singapore International Cyber Week, Dr Janil announced that the Cyber Security Agency of Singapore (CSA) will be launching a nine-month sandbox on Friday to test application processes for the Cybersecurity Labelling Scheme for Medical Devices.

A sandbox is a contained virtual environment used for experimentation.

Participating medical device manufacturers will test and give feedback to the authorities on the requirements and application processes for the initiative ahead of the scheme’s launch.

The scheme, a collaboration between CSA, the Ministry of Health, Health Sciences Authority and national health technology agency Synapxe, was announced in October 2022.

CSA said that more than 16,000, or about 15 per cent of, medical devices in Singapore’s public healthcare have Internet connectivity.

The agency said: “Vulnerabilities in software used for clinical diagnostics could be exploited to cause misdiagnosis, and unsecured medical devices could be targeted in denial-of-service attacks, thus denying patients the appropriate treatment.

“Unsecured devices could also be used as conduits for cyber criminals to infiltrate a hospital’s network, potentially exfiltrating data or even shutting down the network.”

The scheme comprises four levels of rating.

Products labelled Level 1 would have met baseline cyber-security requirements; Level 2 would have met enhanced cyber-security requirements; and Level 3 would have met the enhanced standards and be required to pass independent third-party software binary analysis and penetration testing.

Level 4 would have similarly met enhanced requirements and will be required to pass independent third-party software binary analysis and security evaluation.

There were more than 220 responses during the industry consultation for the scheme held earlier in 2023.

“CSA can also gain valuable insights and feedback into how the requirements and operational workflow of the scheme can be further refined when the (scheme) is eventually scaled up for wider adoption. We look forward to working closely with the industry on this sandbox,” said Dr Janil.

He also gave an update on the cyber-security labelling scheme for IOT devices, launched in 2020, as part of efforts to raise overall cyber hygiene levels and better secure Singapore’s cyberspace.

Since its roll-out, the scheme has received applications for more than 550 devices, of which over 350 have received a label. These devices include Wi-Fi routers, smart home devices and home appliances.

Dr Janil said that while the Government is thrilled to see that many devices now come with a cyber-security label, the authorities hope more manufacturers will follow suit to apply.

However, he added, the Government recognises that implementing cyber-security measures can still be challenging for many manufacturers, especially those that may not have the expertise and resources to do so.

He said CSA will develop a cyber-security implementation toolkit that manufacturers can use to build devices that are “secure by design”.

“By doing so, we hope to empower manufacturers to enhance their products’ security and contribute to a safer and more secure digital environment for all,” he added.