Synapxe collaborates with global health coalition to develop cybersecurity guidelines for medical devices

In a move to standardise and bolster the cybersecurity of medical devices, the Global Digital Health Partnership (GDHP) Cyber Security Work Stream, in collaboration with Singapore’s national HealthTech agency, Synapxe, announced the global launch of the GDHP Guidance for Medical Device Cybersecurity (GMDC) framework on the GDHP web portal at the Singapore’s GovWare Healthcare Forum 2024 on October 16.

The GDHP Cyber Security Work Stream focuses on strategies that can strengthen the processes and practices designed to protect healthcare-related devices, systems, and networks. Its membership currently consists of the digital health authorities of 40 countries, representing more than 40 per cent of the global population.

GDHP Cyber Security Work Stream collaborated with Synapxe to develop GMDC, a comprehensive international framework targeted at medical device manufacturers (MDM) and healthcare delivery organisations (HDO).

It comprises four medical device cybersecurity levels, with each higher level recommending more comprehensive assessments. By recommending cybersecurity requirements for medical devices tiered into these four levels, GMDC will guide manufacturers in developing “secure-by-design” products.

Adapted from Singapore’s cybersecurity labelling scheme

The new framework has been adapted from the four levels of security assurance outlined in Singapore’s Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)], according to a release by Synapxe.

To subscribe to the GovInsider bulletin click here.

GMDC leveraged the foundational work of Singapore’s cybersecurity framework, as well as international regulatory requirements and standards, and has been designed to safeguard medical devices on a global scale.

The framework applies to medical devices that handle personal identifiable information (PII) and clinical data with the ability to collect, store, process, or transfer such information.

It also applies to those connecting to other devices, systems, and services through wired and wireless communication protocols via a network of connections.

GMDC also equips healthcare organisations with the ability to identify the most pertinent cybersecurity features that they should look out for when deploying and using medical devices in the clinical setting.

HDOs can use the framework by requiring a declaration of conformity by manufacturers as part of their procurement efforts. 

Ushering in a mindset shift

Speaking with GovInsider, the US Deputy Assistant Secretary for Technology Policy, and Co-Chair of GDHP Cyber Security Work Stream, Lisa Lewis Person, noted that the GMDC could help to usher in a mindset shift.

She said the healthcare industry needed to change its perception that cybersecurity is something for somebody else to worry about.

“It has to be ingrained in everything we do and be a part of the people, processes, and the technology… it is a patient safety issue, and it must be built into fullest part, secure by design,” Person said.

She said that GMDC, even though an advisory, would push manufacturers to think about security as a part of what they must do. She added that it would also result in hospitals and other purchasers of these medical devices insisting that manufacturers adhere to these guidelines.

“Thinking about it differently is how we will make change in the space, and it is critical for all of us as patients and caregivers to want this change to happen,” she said.

Standardising requirements

Synapxe’s Assistant Chief Executive, Cyber Defence Group & Chief Risk Officer, Leon Chang, noted that often, medical equipment manufacturers struggle globally because different countries have different requirements for the same medical device.

He told GovInsider that such manufacturers wish there was more commonality in security standards, as that would make manufacturing much easier.

“For the hospitals and the medical centres, with the guidance, they now have a baseline to ask some questions to the medical device manufacturers,” he said. He added that GMDC intended to help both the device makers and users with guidance on what the best practices are in medical cybersecurity.

Chang noted that GMDC is a general guideline for global sharing. Each health delivery organisation will have to make their own choice as it is not mandatory, he added.

“If security is not dealt with, it compromises patient safety… and hopefully, through the guidelines, we can give them (health delivery organisations) the tool to ask the right questions.

To subscribe to the GovInsider bulletin click here.

“If they see some of the manufacturers already have to achieve a certain standard, and they announce it publicly, maybe for the same amount they spend on that device, they better buy the one that has achieved the standard,” Leon said.

Not a one-off exercise

Hong Kong Hospital Authority’s Chief Information Security Officer, Fuller Yu, noted that the guidance does not make cybersecurity a “one-off exercise”.

He said when manufacturers develop the product, they need to also make sure the maintenance mode is up to date with regular patching and other actions that ensure the devices are protected against the latest cybersecurity threats.

Synapxe CEO, Ngiam Siew Ying, said that the launch of the framework is another “strong demonstration” of active collaboration among the world’s digital health community.

“We are heartened that our pioneering work in Singapore served to guide the formulation of the GMDC, which can potentially enable healthcare institutions around the world to stay ahead of evolving cybersecurity threats that are challenging our digital health services today,” she said.