CLS(MD) – An Overview
The Ministry of Health (MoH), Cyber Security Agency of Singapore (CSA), Health Sciences Authority (HSA), and the Synapxe (formerly known an IHiS) held an industry consultation from 25 January – 10 March 2023 on the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)] as an effort to provide better cybersecurity assurance for the users of medical devices that are at risk of cybercriminals and to incentivise manufacturers to adopt a security-by-design approach thus consumers and healthcare providers can make more informed decisions about the use of such devices. Under CLS(MD), medical devices are rated and labeled according to their levels of cybersecurity provisions. 
The outcome of the consultation was published on 23 August with result that the industry was generally supportive of the CLS(MD) scheme and agreed that the initiative would help to raise the overall level of cybersecurity for medical devices. However, further guidelines and details should be made to elaborate the scheme. 
As the next step, the CLS(MD) will be a voluntary scheme with both new and existing devices including SAR devices which are in scope of the CLS(MD) can apply for the label. The CLS(MD) will be aligned with the purchasing requirements of the public healthcare institutions in the future. The label will be valid for a period of up to 3 years depending on the support period, and the label can be renewed nearing expiry. 

What is Sandbox? 
Following the industry consultation meeting, it was decided that a 9-month sandbox started from 20th October 2023 would be rolled out as the next phase of implementation. Under the CLS(MD) Sandbox, manufacturers are invited to participate to test out and give feedback on the requirements and application processes by putting their medical devices through different assessments which are according to the level of labels they wish to obtain. 
The feedback and learnings from the sandbox will be used to refine the requirements and the operational workflow of the scheme where necessary. 

CLS(MD) SandBox Requirements – A Review
CLS(MD) comprises four levels (Level 1 – Level 4) of rating. Each additional level represents an additional level of testing and assessment that the product has undergone. The general requirements for each level below are applicable and implemented during sandbox. 

 Picture Credit 

  • •    Level 1: The product meets baseline cybersecurity requirements proven with DoC. 
  • •    Level 2: The product meets enhanced cybersecurity requirements proven with DoC. 
  • •   Level 3: The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and penetration testing. 
  • •   Level 4: The product meets enhanced cybersecurity requirements and will be required to pass independent third-party software binary analysis and security evaluation. 

CSA shared further detailed requirements and testing specifications for each level during Sandbox Scheme in their published guidelines. They also shared the list of approved labs applicable for Level 3 and Level 4 testings. Manufacturers who are interested in participating in CLS(MD) SandBox can apply through GoBusiness Singapore, where CSA will review and give acceptance decision for SandBox application.  



Link1 (News link) 
Link2 (Result on the CLS(MD) Consultation Jan-March 2023)
Link3 (SandBox Information)
Link4 (Approved lab for SandBox testing)
Link5 (GoBusiness Portal link for SandBox application)