Asia-Pacific Roundup: Singapore’s HSA seeks feedback on medical device cybersecurity best practices
Roundups | 17 March 2025 |
Singapore’s Health Sciences Authority (HSA) is running a consultation into its proposed best practices guide for medical device cybersecurity.
HSA’s Medical Devices Cluster outlined the need for the guide in the draft document, explaining that the cybersecurity of medical devices has become a critical concern. The rise of interconnected devices that depend on software has provided immense benefits, HSA said, but also created vulnerabilities to cyber threats that can lead to patient harm, delays in treatment and other negative outcomes.
The guide is intended to help device manufacturers and healthcare providers to mitigate the threats. The document features recommendations on cybersecurity best practices for both before and after products come to market.
HSA covers pre- and post-market cybersecurity requirements as part of a total product life cycle model. The guide says it is crucial for manufacturers to consider cybersecurity risks at each stage of the life cycle, from development to end of support. Manufacturers and healthcare providers share responsibilities from development through end of life. Providers are solely responsible at the end of support stage.
It is important for manufacturers to “prioritize medical device cybersecurity throughout the entire life cycle,” HSA said, but there are specific elements that should be considered in the development phase. By designing security features, executing risk management strategies and developing a post-market plan, manufacturers can ensure the security of the medical device throughout the life cycle, HSA said.
The pre-market section of the guide includes specific considerations for devices with artificial intelligence features. The fast advancement and uptake of AI could “make it a prime target” for malicious actors, HSA said, and the rise of generative AI could create new threats such as prompt injections and hallucinations. The guide outlines how companies can address those AI-specific threats in the pre-market stage.
Another section of the guide covers the three post-market stages of the life cycle, which are defined by the diminishing levels of support provided by device manufacturers. HSA expects manufacturers to offer “comprehensive cybersecurity support” to healthcare providers in the first post-market stage. At that stage, manufacturers should continuously monitor for new vulnerabilities and release timely patches.
The frequency of updates can decrease during the limited support stage, when the guide permits device manufacturers to focus more on critical security issues. Manufacturers stop providing active support in the final stage of the lifecycle, but they still need to help providers navigate that period. HSA expects companies to give providers all necessary product security information and tell the public of the change.
HSA is accepting feedback on the draft until 12 May.
HSA Notice
Australia’s TGA starts consultation into changes to IVD classifications, definitions
Australia’s Therapeutic Goods Administration (TGA) is seeking feedback on planned changes to the classification and definition of in vitro diagnostics (IVDs).
TGA is running the consultation to gather views on aligning Australia’s classification rules, principles and definitions with the European Union’s IVD Regulation, where appropriate. The Australian government’s policy is to align the country’s regulatory framework with the EU whenever possible. Following that brief, TGA has reviewed the intent of each Australian classification rule and the corresponding EU rule.
Seven IVD categories are affected by the proposed changes. TGA is proposing to move cancer screening tests from Class 2 to the higher risk Class 3. Sponsors of currently approved devices will need to apply to TGA to reclassify their products. New applicants will need to meet the requirements for Class 3 devices.
Other proposed changes include the creation of a specific rule for the classification of IVDs used for congenital screening in new-born babies. Australia currently lacks such a rule. TGA plans to fill the gap by adopting the EU’s policy. Under the proposal, some IVDs that are currently in Class 2 in Australia will move up to Class 3.
TGA said the changes “will result in greater consistency in the assessment processes of the IVD medical devices supplied in Australia, shorten the time taken for products to come into the Australian market and reduce regulatory burden.” The agency also expects its proposals to reduce public health and safety risks and increase consumer confidence in the regulation of IVDs.
Under the draft proposals, TGA would start enforcing the new classifications six months after the end of the relevant EU transition period. That means the deadlines would range from June 2028 for Class 4 IVDs to June 2030 for Class 2 products.
TGA is seeking feedback on the transition period, the classification changes it plans to make and other aspects of the push to align the Australian and EU requirements. The consultation is open until 8 May.
TGA Consultation
Malaysia’s MDA publishes guidance on importing medical devices for re-export
The Medical Device Authority (MDA) has published guidance for companies that want to bring devices into Malaysia and re-export them after processing or testing.
MDA typically requires medical devices imported into Malaysia to comply with the Medical Device Act 2012, including rules on the registration of products. However, the agency has seen cases where people need to import and re-export devices for maintenance, testing, sterilization, packaging or labelling or because Malaysia is a distribution hub.
Under the new guidance, MDA has exempted companies that are importing devices for re-export from the registration requirements of the 2012 Act. Companies need to apply for the exemption. If the case meets the requirements, MDA will issue an “IRE approval” letter that permits the device to be imported and re-exported.
The guidance provides more information on the requirements and application process. IRE letters are valid for 12 months and allow companies to import multiple shipments over that period. Companies can request an extension of up to six months if they are unable to complete their export activities within the initial timeframe.
MDA Guidance
New Zealand’s Medsafe clarifies requirements on clinical trial protocol changes
The New Zealand Medicines and Medical Devices Safety Authority (Medsafe) has outlined its position on clinical trial protocol clarification letters and changes to study protocols.
Part 11 of the guideline on the regulation of therapeutic products in New Zealand sets out requirements for clinical trial sponsors. The current edition of the guideline came into force in 2018. One section of the document states that any changes to the trial protocol must be submitted and approved before they can be implemented.
Last week, Medsafe made a statement “to further clarify this requirement and is effective immediately.” The agency said “clinical trial protocol clarification letters, and notes to file do not need to be approved by Medsafe before being implemented.” Sponsors submit such letters for notification only and receive an acknowledgement of receipt.
“Changes to clinical trial protocols should continue to be submitted and require approval prior to implementation,” Medsafe said. “Evidence of acceptance of protocol amendments by overseas regulators may also be submitted if they are available to assist Medsafe’s evaluation.”
Medsafe Notice
Other News:
Starting 10 March, the Philippine Food and Drug Administration (FDA) is asking licensed medical device establishments to submit initial applications for certificates of medical device notification for Class A products through its eServices Portal System. The change follows a pilot project last year and subsequent efforts to improve the portal. FDA Notice
HSA’s Medical Devices Cluster outlined the need for the guide in the draft document, explaining that the cybersecurity of medical devices has become a critical concern. The rise of interconnected devices that depend on software has provided immense benefits, HSA said, but also created vulnerabilities to cyber threats that can lead to patient harm, delays in treatment and other negative outcomes.
The guide is intended to help device manufacturers and healthcare providers to mitigate the threats. The document features recommendations on cybersecurity best practices for both before and after products come to market.
HSA covers pre- and post-market cybersecurity requirements as part of a total product life cycle model. The guide says it is crucial for manufacturers to consider cybersecurity risks at each stage of the life cycle, from development to end of support. Manufacturers and healthcare providers share responsibilities from development through end of life. Providers are solely responsible at the end of support stage.
It is important for manufacturers to “prioritize medical device cybersecurity throughout the entire life cycle,” HSA said, but there are specific elements that should be considered in the development phase. By designing security features, executing risk management strategies and developing a post-market plan, manufacturers can ensure the security of the medical device throughout the life cycle, HSA said.
The pre-market section of the guide includes specific considerations for devices with artificial intelligence features. The fast advancement and uptake of AI could “make it a prime target” for malicious actors, HSA said, and the rise of generative AI could create new threats such as prompt injections and hallucinations. The guide outlines how companies can address those AI-specific threats in the pre-market stage.
Another section of the guide covers the three post-market stages of the life cycle, which are defined by the diminishing levels of support provided by device manufacturers. HSA expects manufacturers to offer “comprehensive cybersecurity support” to healthcare providers in the first post-market stage. At that stage, manufacturers should continuously monitor for new vulnerabilities and release timely patches.
The frequency of updates can decrease during the limited support stage, when the guide permits device manufacturers to focus more on critical security issues. Manufacturers stop providing active support in the final stage of the lifecycle, but they still need to help providers navigate that period. HSA expects companies to give providers all necessary product security information and tell the public of the change.
HSA is accepting feedback on the draft until 12 May.
HSA Notice
Australia’s TGA starts consultation into changes to IVD classifications, definitions
Australia’s Therapeutic Goods Administration (TGA) is seeking feedback on planned changes to the classification and definition of in vitro diagnostics (IVDs).
TGA is running the consultation to gather views on aligning Australia’s classification rules, principles and definitions with the European Union’s IVD Regulation, where appropriate. The Australian government’s policy is to align the country’s regulatory framework with the EU whenever possible. Following that brief, TGA has reviewed the intent of each Australian classification rule and the corresponding EU rule.
Seven IVD categories are affected by the proposed changes. TGA is proposing to move cancer screening tests from Class 2 to the higher risk Class 3. Sponsors of currently approved devices will need to apply to TGA to reclassify their products. New applicants will need to meet the requirements for Class 3 devices.
Other proposed changes include the creation of a specific rule for the classification of IVDs used for congenital screening in new-born babies. Australia currently lacks such a rule. TGA plans to fill the gap by adopting the EU’s policy. Under the proposal, some IVDs that are currently in Class 2 in Australia will move up to Class 3.
TGA said the changes “will result in greater consistency in the assessment processes of the IVD medical devices supplied in Australia, shorten the time taken for products to come into the Australian market and reduce regulatory burden.” The agency also expects its proposals to reduce public health and safety risks and increase consumer confidence in the regulation of IVDs.
Under the draft proposals, TGA would start enforcing the new classifications six months after the end of the relevant EU transition period. That means the deadlines would range from June 2028 for Class 4 IVDs to June 2030 for Class 2 products.
TGA is seeking feedback on the transition period, the classification changes it plans to make and other aspects of the push to align the Australian and EU requirements. The consultation is open until 8 May.
TGA Consultation
Malaysia’s MDA publishes guidance on importing medical devices for re-export
The Medical Device Authority (MDA) has published guidance for companies that want to bring devices into Malaysia and re-export them after processing or testing.
MDA typically requires medical devices imported into Malaysia to comply with the Medical Device Act 2012, including rules on the registration of products. However, the agency has seen cases where people need to import and re-export devices for maintenance, testing, sterilization, packaging or labelling or because Malaysia is a distribution hub.
Under the new guidance, MDA has exempted companies that are importing devices for re-export from the registration requirements of the 2012 Act. Companies need to apply for the exemption. If the case meets the requirements, MDA will issue an “IRE approval” letter that permits the device to be imported and re-exported.
The guidance provides more information on the requirements and application process. IRE letters are valid for 12 months and allow companies to import multiple shipments over that period. Companies can request an extension of up to six months if they are unable to complete their export activities within the initial timeframe.
MDA Guidance
New Zealand’s Medsafe clarifies requirements on clinical trial protocol changes
The New Zealand Medicines and Medical Devices Safety Authority (Medsafe) has outlined its position on clinical trial protocol clarification letters and changes to study protocols.
Part 11 of the guideline on the regulation of therapeutic products in New Zealand sets out requirements for clinical trial sponsors. The current edition of the guideline came into force in 2018. One section of the document states that any changes to the trial protocol must be submitted and approved before they can be implemented.
Last week, Medsafe made a statement “to further clarify this requirement and is effective immediately.” The agency said “clinical trial protocol clarification letters, and notes to file do not need to be approved by Medsafe before being implemented.” Sponsors submit such letters for notification only and receive an acknowledgement of receipt.
“Changes to clinical trial protocols should continue to be submitted and require approval prior to implementation,” Medsafe said. “Evidence of acceptance of protocol amendments by overseas regulators may also be submitted if they are available to assist Medsafe’s evaluation.”
Medsafe Notice
Other News:
Starting 10 March, the Philippine Food and Drug Administration (FDA) is asking licensed medical device establishments to submit initial applications for certificates of medical device notification for Class A products through its eServices Portal System. The change follows a pilot project last year and subsequent efforts to improve the portal. FDA Notice
© 2025 Regulatory Affairs Professionals Society.
