On 10 March 2025, the Health Sciences Authority (HSA) launched its public consultation for the draft on the Best Practices Guide for Medical Device Cybersecurity. The document provides medical device manufacturers and healthcare providers with best practice recommendations and considerations on general cybersecurity principles to protect the security of medical devices for their entire product life cycle.
Summary of guidelines
The Best Practices Guide for Medical Device Cybersecurity is not meant to provide regulatory requirements but instead share best practices for medical device manufacturers and healthcare providers. The general principles that undergird the best practices are shared responsibilities between manufacturers and healthcare providers, transparency and communication, and ensuring that devices are secure by design. The substantive guidelines are separated according to pre-market and post-market stages and collectively encompass the entire product life cycle of medical devices.
Pre-market stage
The guide provides best practices for medical device manufacturers at the development stage based on the following elements:
- Designing security features: incorporating security features into product design
- Risk management strategies: identifying, analyzing and mitigating cybersecurity risks
- Security testing: conducting thorough security testing to identify and rectify any vulnerabilities in the device’s security
- User information: providing comprehensive user guidelines on how to operate the device safely and effectively
- Post-market plan: developing a plan for cybersecurity activities, including monitoring, timely detecting and addressing any security threats that arise after the device enters the market
- Software bill of materials: listing software components to provide oversight over the components of the devices and any attendant vulnerability in the respective components
Post-market stage
At this stage, the guide envisions greater involvement of healthcare providers alongside device manufacturers. Thus, the best practices are aimed at providing guidance for both parties and into three stages: the support stage, the limited-support stage and the end-of-support stage. The guide is cognizant of the gradual transfer of responsibility from the device manufacturer to the end user as the product reaches the end of its life cycle and makes provisions accordingly within the guidelines.
- Support stage: Manufacturers are given guidance as to the comprehensive cybersecurity support that they are expected to provide to healthcare providers at this stage.
- Limited-support stage: This stage gives guidance to both manufacturers and healthcare providers on the best practices to manage the transition from full support.
- End-of-support stage: Security providers are the primary focus of the guidelines at this stage with some recommendations targeted at manufacturers in a residual role.
Key takeaways
The HSA has been active in ensuring the cybersecurity of medical devices. This has resulted in initiatives such as the cybersecurity labeling scheme for medical devices that was launched on 16 October 2024. Medical device manufacturers and healthcare providers should continue to stay updated on the HSA’s developments to keep in line with regulatory requirements and best practices.
The consultation period for the guide is running from 10 March 2025 to 12 May 2025.
