The Cybersecurity Labelling Scheme for Medical Device [CLS(MD)] has been a recurring topic in Singapore’s medical device and cybersecurity scene. After an industry consultation from January to March 2023, a Sandbox program was conducted from October 2023 to July 2024 to test the scheme's requirements and application process. This program involved 47 applications from 19 manufacturers, leading to the public launch of the voluntary CLS(MD) on October 16, 2024, along with the release of 7 guideline publications.

One of the key updates in the final guidelines is that the program will be handled by Cybersecurity Certification Center (CCC) under the ambit of Cyber Security Authority of Singapore (CSA), independently from Health Science Authority (HSA) registration process. While HSA registration remains necessary for medical device supply and use, CLS(MD) applications can be submitted prior to HSA registration through gobusiness. However, constant information with the HSA listing should be inputted. Upon successful registration with CSA, CLS(MD) can be attached prior or after importation to Singapore within 6 months from the date of issue.

The selection of which Cybersecurity Level is entirely depending on which of Cybersecurity Label that the manufacturer wishes to attain. This level should also align with the cyber security requirements compliance that is able to be achieved by the product. Prior to the application process, Feasibility Study in selecting the CLS(MD) level should be done, additionally, a Testing Laboratory should conduct Readiness Assessment for product that wishes to pursue Level 3 and 4.

To obtain any level of CLS(MD) Label, manufacturers must engage with a CCC-approved Testing Laboratory prior to application. The Testing Laboratory is an independent third-party organization that assesses the device's compliance with the relevant security requirements. The results of this assessment are then submitted to the CCC as part of the application process.

Level 1 CLS(MD) requires compliance with 6 Baseline Security Requirements. For devices already registered with the HSA, four of these requirements may be exempted. However, compliance with the remaining two requirements is still mandatory. Thus, HSA registered medical devices do not mean that they comply with Level 1 CLS(MD), additional 2 requirements should be fulfilled. Compliance to the Level 1 requirements should be proven through Declaration of Conformity (DoC) and supporting documents that are reviewed by Testing Laboratory prior to submission with CCC.

Level 2 CLS(MD) mandates compliance with 38 Enhanced Security Requirements proven by DoC and supporting data as assessed by the Testing Lab prior to submission with CCC.

Level 3 CLS(MD) necessitates compliance with Level 2 requirements, along with Software Binary Analysis and Penetration Testing. The requirements and tests should be assessed and done by the Testing Lab prior to the submission with CCC.

Level 4 CLS(MD) requires compliance with Level 2 requirements, Software Binary Analysis, and a comprehensive Security Evaluation. The requirements and tests should be assessed and done by the Testing Lab prior to the submission with CCC.

More detail information on the requirements for overall scheme and each of the level requirements are available in the official publications as summarized and outlined below.

CLS(MD) Pub 1 – Overview of CLS(MD) v1.0

The document provides the overview of the scheme also outlines the scheme objectives, description of the scheme, its organization and management, as well as an overview of the testing process.

In this document also available the outline of the requirements and procedures for the labelling under the scheme. It also establishes the technical oversight role of Cybersecurity Certification Centre (CCC) in the CLS(MD) and sets out general terms and conditions for the manufacturer and/or Testing Laboratory (TL) that apply for such a label.

CLS(MD) Pub 2 – Scheme Specifications v1.0

The document explains each of the four (4) cybersecurity levels, the assurance activities, and the expected deliverables for each of the levels.

CLS(MD) Pub 3 – Requirements for Testing Laboratory v1.0

Manufacturers pursuing any of the 4 levels of CLS(MD) label should engage with approved Testing Lab. This document defines the process, conditions, and requirements to be fulfilled by the applicant seeking to be appointed as a TL under CLS(MD) scheme.

CLS(MD) Pub 4 – Assessment Methodology v1.0

This document specifies the assessment methodology for the Security Baseline Requirements and the Enhanced Security Requirements under the CLS(MD).

CLS(MD) Pub 5 – Minimum Test Specifications v1.0

This document provides the test specifications and methodology for the CLS(MD) also outlines the set of minimum test cases to be performed by the testing lab (TL) under Levels 3 and 4.

CLS(MD) Pub 6B – Declaration of Conformity for L1

CLS(MD) Pub 6B – Declaration of Conformity for L2, L3, L4

These documents are the template of Declaration of Conformity to be filled by applicants for Levels 1-4.

CLS(MD) Pub 7 – Fee Schedule

This document outlines the application fee for each of CLS(MD) level along with the provisions of the charged fees in the scheme.

 

Call-to-Action

Qualtech Consulting Corporation has been a trusted partner for medical device manufacturers for over 20 years. Whether you’re a local startup or an international player, we empower your devices to enhance lives.

Connect with us today here to unlock your medical device potential.

 

 

References:
Link 1
 (gobusiness)
Link 2
(About the program and Publications)

Teilen: