2 March, 2018
The Government Technology Agency of Singapore ("GovTech") recently cited an industry report stating that healthcare ranked among the top five industry sectors that experienced the highest incidences of cyberattacks. Such attacks are only likely to intensify as medical devices become increasingly connected to each other, to public hospital networks, and to the Internet.
The susceptibility of medical devices to cyberattacks not only poses a threat to individuals, but to communities and organisations. While it is clear that certain compromised medical devices (e.g. life support systems) pose a direct risk to patients, it is perhaps less evident that such devices could also be easy targets for highly-sensitive and confidential information as well. Without the necessary security arrangements in place, real-time health data can easily be appropriated to reverse-engineer information—like the location and layout of secret military bases, as was the case with the Strava fitness app.
Many countries in Asia Pacific have recognized the increasing danger that such devices pose, and have acted swiftly to regulate them. For example, the Ministry of Food and Drug Safety of South Korea recently issued draft medical device cybersecurity guidelines which impose heightened technical standards for medical devices with wired and/or wireless communication functions. Under these draft guidelines, companies must comply with cybersecurity-related requirements before the regulator will process the application.
However, GovTech acknowledges that in Singapore, while "medical device manufacturers and hospitals are seeking to improve their own cybersecurity measures, there is currently no industry standard for them to abide by." The Health Products (Medical Devices) Regulations, issued pursuant to the Health Products Act, only classifies medical devices according to non-cybersecurity- related factors, such as their degree of invasiveness and their duration of contact with the body. Further, HSA's Regulatory Guideline for Telehealth Products only requires dealers of telehealth medical devices to perform post-market surveillance duties, such as the reporting of adverse events, without specific guidelines on the technical standards required.
It remains to be seen how Singapore will address cybersecurity issues relating to medical devices, whether by imposing obligations on medical device manufacturers or otherwise.
For further information, please contact:
Andy Leck, Principal, Baker & McKenzie.Wong & Leow
andy.leck@bakermckenzie.com