Singapore: Health Sciences Authority opens

in short

On March 10, 2025, the Health Sciences Administration (HSA) launched a public consultation in the “Guidelines for Best Practices for Cyber ​​Security of Medical Equipment”. This document provides medical device manufacturers and healthcare providers with best practice advice and considerations regarding general cybersecurity principles to protect the safety of medical devices throughout the product life cycle.

Best practice guidelines for medical device cybersecurity do not mean providing regulatory requirements, but rather sharing best practices for medical device manufacturers and healthcare providers. The general principle of best practice is shared responsibility, transparency and communication between manufacturers and healthcare providers and ensure that the equipment is safe through design. Substantive criteria are separated based on pre- and post-market phases and collectively cover the entire product life cycle of medical devices.

Previous market stage

This guide provides best practices for medical device manufacturers in the development stage based on the following elements:

• Design security features: Incorporate safety features into product design
• Risk Management Strategy: Identify, analyze and mitigate cybersecurity risks
• Safety Testing: Perform thorough security testing to identify and correct any vulnerabilities in device security
• User Information: Provides a comprehensive user guide on how to operate your equipment safely and effectively
• Post-market plan: Develop a plan for cybersecurity activities, including monitoring, prompt detection and resolution of any security threats that arise after the device enters the market
• Bill of materials: List software components to provide supervision of device components and any subsequent missed components

Market backstage

At this stage, the guide envisions greater involvement of healthcare providers along with device manufacturers. Therefore, best practices aim to provide guidance to both parties and to three phases: support phase, limited support phase and support phase. The guide realizes that when the product reaches the end of its life cycle and provides provisions accordingly in the guide, the guide gradually shifts responsibility from the equipment manufacturer to the end user.

• Support phase: Manufacturer’s guidance on comprehensive cybersecurity support provided to healthcare providers at this stage.
• Limited support stage: This stage provides guidance for manufacturers and healthcare providers on best practices that manage fully support transitions.
• Support phase: Safety providers are the main focus of the guidelines at this stage, some of which are directed at manufacturers’ recommendations.

HSA has been actively ensuring the network security of medical devices. This has led to initiatives such as the Cybersecurity Tag Program for Medical Devices launched on October 16, 2024. Medical device manufacturers and healthcare providers should continue to up-to-date on the development of HSAs to comply with regulatory requirements and best practices.

The consultation period for the guide is from March 10, 2025 to May 12, 2025.

* * * * *

©2025 Baker & McKenzie. Wong & Leow. all rights reserved. Baker and Mackenzie. Wong & Leow is a member company of Baker & McKenzie International, a global law firm with member law firms worldwide. According to common terms used in professional service organizations, referring to “principal” means a person who is a partner or equivalent in such a law firm. Likewise, reference to “office” means the office of any such law firm. This may be eligible as a “lawyer advertising” and requires notification in certain jurisdictions. Previous results cannot guarantee similar results.