New cyber-security labelling scheme for medical devices in the works

The Cybersecurity Labelling Scheme for Medical Devices will assess the safety of healthcare equipment and certify them under one of four levels. PHOTO: ST FILE

SINGAPORE - A national labelling scheme will soon allow healthcare providers and consumers to gauge how secure medical devices are against cyber risks to help them make educated purchasing decisions.

The Cybersecurity Labelling Scheme for Medical Devices will assess the safety of equipment, including pacemakers and ventilators, and certify them under one of four levels, with four as the highest rating.

It will apply to medical devices that handle sensitive data or can connect to other devices, systems and services, said Dr Janil Puthucheary, Senior Minister of State for Communications and Information, on Thursday during this year’s Singapore International Cyber Week.

“(The scheme) will enable consumers and healthcare providers to identify more medical devices with better in-built cyber security, and... incentivise manufacturers to develop more secure medical devices,” he added.

The scheme, a collaboration between the Ministry of Health (MOH), Health Sciences Authority (HSA), Cyber Security Agency of Singapore (CSA) and Integrated Health Information Systems (IHiS), was mentioned by Senior Minister Teo Chee Hean on Wednesday.

It is the latest development in efforts here to help consumers figure out how secure the smart devices they buy are.

Healthcare systems here were the target of Singapore’s largest high-profile cyber-security breach in 2018. The cyber attack on SingHealth and IHiS compromised the personal data of about 1.5 million patients, including Prime Minister Lee Hsien Loong.

The two organisations were later issued with a combined $1 million fine by the Personal Data Protection Commission.

The Republic introduced in 2020 the Cybersecurity Labelling Scheme, which certifies consumer Internet of Things (IoT) devices based on their cyber-security levels. CSA, which manages the scheme, has received more than 300 applications and certified more than 200 products to date.

Each of the four levels of rating under the new scheme for medical devices is represented by a cross.

The requirements to pass the first level are identical to those needed for medical devices before they can be registered with HSA, such as having protection against unauthorised access by online users. The registration with HSA is necessary for most of such devices to be eligible for sale in Singapore.

Requirements to attain the higher levels may include passing independent third-party tests, said MOH, HSA, CSA and IHiS in a joint statement.

“A formal consultation with the medical device industry and associations will be held... to seek feedback on their proposed requirements, including the timeline for implementation,” they added.

More details on the scheme will be revealed later.

On Thursday, Dr Janil noted that the IoT market has been growing rapidly, with about 50 billion devices estimated to be in use around the world by 2030.

“In medicine, these devices, (such as) ECG monitors and pacemakers, are also getting smarter as professionals seek to leverage technology to improve their ability to collect patient data, or deliver and customise therapy,” he added.

But he said many consumer IoT devices contain consumer data and information that, if leaked, could affect consumer privacy.

“In more severe cases, IoT hacks can lead to serious physical harms, even risking lives,” said Dr Janil.

He noted that the United States’ Food and Drug Administration discovered in 2017 a vulnerability in a brand of pacemakers that enabled hackers to access them, alter their function, deplete their batteries and potentially administer fatal shocks to their wearers.

Mr Paul Chua, who is cyber-security officer for Greater Asia at medical technology firm Becton, Dickinson and Company, said the new scheme is in line with his company’s focus on making cyber-secure products.

But he added that the potential requirement of passing independent third-party tests to achieve the scheme’s higher levels will lengthen the time required to introduce new medical devices here, and raise costs.

On Thursday, Singapore signed an agreement with Germany to mutually recognise the cyber-security labels issued by their government agencies.

Speaking about the agreement, Dr Janil said: “This mutual recognition will further promote the harmonisation of standards, reduce duplicated testing and costs for manufacturers globally, and improve market access for consumer IoT manufacturers between Germany and Singapore.”

Finland inked a similar memorandum of understanding with the Republic last year. 

Dr Janil also said the Government has been working with industry and government partners on a proposal to develop an international standard that will guide countries looking to set up their own labelling schemes for consumer IoT devices.

Join ST's Telegram channel and get the latest breaking news delivered to you.