Skip to main content

Health-ISAC Hacking Healthcare 4-2-2025

This week, Health-ISAC®‘s Hacking Healthcare® examines a new opportunity for Health-ISAC members to shape compliance and guidance efforts on healthcare cybersecurity issues. Join us as we assess a new draft of medical device cybersecurity best practices from Singapore. 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

 

PDF Version: TLP WHITE Hacking Healthcare 4.2.2025
Size : 223.2 kB Format : PDF

 

Text Version:

Welcome back to Hacking Healthcare®.

Singapore Introduces Medical Device Cybersecurity Best Practices Draft Guidance 

The Singaporean government’s Health Sciences Authority (HSA) has opened a public consultation that may be of interest to both medical device manufacturers and healthcare sector entities that utilize medical devices.[i] The 21-page “Best Practices Guide for Medical Device Cybersecurity” is open to public feedback until May 12, and the HSA is eager to hear from stakeholders.[ii] Let’s examine the origins of this effort and its approach.

Background

Noting the “rapidly evolving landscape of healthcare technology” and the need to ensure that these critical technologies are secure from threats that may harm patient care, the HSA developed this guidance document to provide medical device manufacturers and healthcare providers “recommendations on cybersecurity best practices for medical devices, focusing on both pre-market and post-market stages of the device’s total product lifecycle (TPLC).”[iii] The document is intended solely to provide entities with best practices and considerations on medical device cybersecurity and should not be interpreted as a legal or regulatory obligation or as a means to necessarily meet existing laws and regulations.  

Content

Despite the relatively short length of the guide, the document packs in a lot of information by eschewing lengthy introductions and explanations and remaining at an appropriately high-level. After briefly outlining the intended scope and definitions, the guide is divided into roughly four sections. While the first two sections of the guide set the stage, most of the document is dedicated to outlining best practices within the pre- and post-market stages of the TPLC.

  • General Principles: The HSA’s approach highlights three elements that should be very familiar to Health-ISAC members. The first element is the shared responsibility model, which emphasizes that medical device cybersecurity is a collaborative effort between manufacturers and end-users to ensure safe, secure, and effective use through continuous collaboration across a device’s lifecycle. The second element emphasizes the importance of transparency and communication, underscoring the need for timely information sharing and coordinated vulnerability disclosure. The third element, “secure by design,” should also be very familiar to those following policy developments in the U.S. and the E.U. This final element reiterates the need to develop medical devices with cybersecurity in mind from the very beginning. 
  • Overview of the Total Product Life Cycle Framework: Here, again, the HSA’s approach should be familiar to many, as the guide reinforces that “cybersecurity threats and vulnerabilities need to be considered throughout the Total Product Life Cycle (TPLC) of the medical device.”[iv] The HSA has broken the TPLC down into four distinct stages: Development, Support, Limited Support, and End of Support. 
  • Pre-market: The pre-market guidance section addresses topics such as designing security features, risk management strategies, security testing, Software Bill of Materials (SBoM), and medical devices that employ artificial intelligence (AI). 
  • Post-market: The post-market guidance section addresses the various support stages, from procurement and installation through to the limited and end-of-support stages. Included are topics on post-market surveillance, cybersecurity training, responsibly transferring between stages, and considerations for winding down support. 

Let’s examine some of the broader themes and approaches in the Action & Analysis section. 

 

Action & Analysis 
**Included with Health-ISAC Membership**

 

[i]https://www.hsa.gov.sg/announcements/regulatory-updates/public-consultation-on-best-practices-guide-for-medical-device-cybersecurity

[ii]https://www.hsa.gov.sg/docs/default-source/hprg-mdb/regulatory-updates/best-practices-guide-on-medical-device-cybersecurity_draft-for-consultation.pdf?sfvrsn=8dcfa560_1

[iii]https://www.hsa.gov.sg/docs/default-source/hprg-mdb/regulatory-updates/best-practices-guide-on-medical-device-cybersecurity_draft-for-consultation.pdf?sfvrsn=8dcfa560_1

[iv]https://www.hsa.gov.sg/docs/default-source/hprg-mdb/regulatory-updates/best-practices-guide-on-medical-device-cybersecurity_draft-for-consultation.pdf?sfvrsn=8dcfa560_1

  • Related Resources & News