SINGAPORE – As medical devices become increasingly connected to hospital and home networks, there has been growing fears that life-saving devices like pacemakers and implantable defibrillators could be hacked to devastating consequences.
To better guard against such vulnerabilities, Singapore is exploring an initiative to rate medical devices according to their cybersecurity provisions. Other examples of devices include insulin pumps, respiratory ventilators and radiological imaging devices like X-rays and CT scanners.
It is hoped that the move can help consumers and healthcare providers identify and select medical devices with better in-built cybersecurity, said Senior Minister of State for Communications and Information Dr Janil Puthucheary.
Speaking at a roundtable on Internet-of-Things (IOT) security at the Singapore International Cyber Week, Dr Janil announced that the Cyber Security Agency of Singapore (CSA) will be launching a nine-month sandbox on Friday to test out the application processes for the Cybersecurity Labelling Scheme for Medical Devices scheme.
A sandbox is a contained virtual environment used for experimentation.
Participating medical device manufacturers will test and give feedback to authorities on the requirements and application processes for the initiative ahead of the scheme’s launch.
The scheme, a collaboration between CSA, the Ministry of Health, Health Sciences Authority, and national health technology agency Synapxe, was announced in October 2022.
CSA said that more than 16,000, or about 15 per cent of medical devices in Singapore’s public healthcare have Internet connectivity.
The agency said: “Vulnerabilities in software used for clinical diagnostics could be exploited to cause misdiagnosis, and unsecured medical devices could be targeted in denial-of-service attacks, thus denying patients the appropriate treatment.
“Unsecured devices could also be used as conduits for cybercriminals to infiltrate into a hospital’s network, potentially exfiltrating data or even shutting down the network.”
The scheme comprises four levels of rating.
Products labelled Level 1 would have met baseline cybersecurity requirements; Level 2 would have met enhanced cybersecurity requirements, while Level 3 would have met the enhanced standards and be required to pass independent third-party software binary analysis and penetration testing.
Level 4 would have similarly met enhanced requirements and will be required to pass independent third-party software binary analysis and security evaluation.