Cybersecurity 2025

SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC

designated owners of CII within the healthcare sector would be subject to the same require - ments as laid out in 2.2 Critical Infrastructure Cybersecurity Requirements . Beyond CII, there are a number of security requirements relating to devices in the medical field. Depending on the type of medical device, the relevant regulators may include the Health Sciences Authority (HSA), the National Environ - ment Agency and the IMDA. Where applicable, healthcare providers must also comply with the National Telemedicine Guidelines, which include data protection and security requirements. Inso - far as a medical device is used by an organi - sation to collect personal data (eg, device test results are uploaded onto a server owned by the organisation), the organisation must comply with the protection obligation under the PDPA (as described in 6.1 Cybersecurity and Data Protection above). On 4 December 2023, the Cyber and Data Secu - rity Guidelines for Healthcare Providers (Health - care Guidelines) was published. The Healthcare Guidelines provide guidance on the cyber and data security measures to be put in place for the proper storage, access, use and sharing of health information to improve the security pos - ture amongst healthcare providers. Healthcare providers looking to better understand and meet the Healthcare Guidelines can also refer to the Cyber and Data Security Guidebook for health - care providers for explanations and references to resources from the CSA and PDPC. While not mandatory, the requirements within the Health - care Guidelines will eventually be imposed as regulatory requirements under the upcoming Health Information Act, which has yet to come into force at the time of writing.

In October 2024, the Cybersecurity Labelling Scheme for Medical Devices (CLSMD), which was jointly developed by the CSA, Ministry of Health, HSA and Synapxe, was launched. Under this voluntary scheme, medical devices are rated according to four levels of cybersecu - rity provisions, with each level indicating a pro - gressively higher standard of security. The label aims to improve security awareness by making the cybersecurity provisions of medical devices more transparent to healthcare users, thereby empowering them to make more informed pur - chasing decisions. The CLSMD applies to medical devices as described in the First Schedule of the Health Products Act 2007 that have any of the follow - ing characteristics: • handle personal identifiable information and clinical data, and can collect, store, process, or transfer such data; and • connect to other devices, systems, and ser - vices, and can communicate using wired and/ or wireless communication protocols through a network of connections.

243 CHAMBERS.COM

Powered by