Regulatory Open Forum

By March 3, 2023, Singapore's HSA has requested industry comments on proposed device labeling for cybersecurity. The draft cybersecurity labeling scheme for medical devices (CLSMD) was initiated in late 2022 by the HSA, MOH, and Integrated Health Information Systems. Today, more medical devices are coupled between home and hospital networks, and security must be maintained.

With 38 clauses, the proposed structure for CLS includes 4 cybersecurity levels. Level 1 is already included in Singapore's existing cybersecurity law. Other devices with additional cybersecurity issues fall into level 2. For levels 3 and 4, third-party testing is needed. CLS labels will be good for 3 years but need to be renewed 3 months before the original label expires. If specific conditions do not meet these new proposed requirements, labels can become null and void.

------------------------------
Ames Gross
President
Pacific Bridge Medical
Bethesda, MD
www.pacificbridgemedical.com
contact@pacificbridgemedical.com
------------------------------

Thanks Ames for sharing.

here are the key items under review. it will be interesting to see the final framework for cyber secutiry labelling scheme 

Key Items Under Review apart from  CLAUSE 38 Proposed structure of CLS(MD)

• The framework for CLS(MD) comprises four (4) cybersecurity levels of 38 clauses. HSA's current cybersecurity requirements fulfil that of Level 1 when registering any medical devices in Singapore. The rest of the clauses will be placed in Level 2. Independent third-party testing is required for Levels 3 and 4.The testing laboratories to conduct the independent third-party testing are to be accredited to ISO 17025 and meet other requirements documented in the consultation paper.
• The CLS(MD) labels must be printed or affixed on the packaging of devices that are sold to non-qualified medical or dental practitioners. For professional-use only devices, the printing or affixing of the label shall be optional. The validity of the CLS(MD) label shall be three (3) years, during which the developer is required to support the device with security updates. The label may be revoked during the period if certain conditions are not met. Before the expiry of the label, a new CLS(MD) application is required to obtain a new label. This process can be initiated three (3) months before the expiry date of the existing label.
•  Devices currently in use may also apply to have the label. The process depends on the CLS(MD) level that is being applied to. More details of this are provided in the consultation paper.

------------------------------
Raje Devanathan
Amerisource Bergen
TPIreg, Innomar Strategies
Senior Manager - Regulatory Affairs, Medical Devices
rdevanathan@tpireg.com
3470 Superior Court
Oakville ON L6L0C4
Canada
------------------------------

Original Message:
Sent: 15-Mar-2023 16:57
From: Ames Gross
Subject: Singapore's HSA Proposes New Device Labeling Requirements for Cybersecurity

By March 3, 2023, Singapore's HSA has requested industry comments on proposed device labeling for cybersecurity. The draft cybersecurity labeling scheme for medical devices (CLSMD) was initiated in late 2022 by the HSA, MOH, and Integrated Health Information Systems. Today, more medical devices are coupled between home and hospital networks, and security must be maintained.

With 38 clauses, the proposed structure for CLS includes 4 cybersecurity levels. Level 1 is already included in Singapore's existing cybersecurity law. Other devices with additional cybersecurity issues fall into level 2. For levels 3 and 4, third-party testing is needed. CLS labels will be good for 3 years but need to be renewed 3 months before the original label expires. If specific conditions do not meet these new proposed requirements, labels can become null and void.

------------------------------
Ames Gross
President
Pacific Bridge Medical
Bethesda, MD
www.pacificbridgemedical.com
contact@pacificbridgemedical.com
------------------------------