As “smart” devices become more prevalent in hospitals across the world, the looming problem of cybersecurity is increasing exponentially. Cyberthreats are real, and medical devices are at risk. In order to protect patient safety and security, it is important that hospitals acknowledge that the devices used regularly for patients have a level of cybersecurity right from the beginning. Otherwise, hospitals are putting patients at risk. Many of these medical devices use wireless platforms to transmit patient data, as well as to collect and monitor information. Increasingly, the devices are going home with patients. Unfortunately, this is an area that is outside the current regulatory environment for the operation of medical devices.
This is where companies like MedCrypt come in. By addressing the gap in this area of health care, MedCrypt is proposing an easy-to-use solution that equips medical devices with an important level of cybersecurity by adding just a few lines of code. Rather than spend time figuring out how to incorporate cybersecurity into medical devices, the manufacturers of these vital machines can focus on innovation and enable MedCrypt to fill in the gaps in security.
Early History
In 2016, MedCrypt was founded by CEO Mike Kijewski, a passionate entrepreneur with an interest in the intersection of technology and health care. Prior to his endeavors with MedCrypt, Kijewski founded a radiation oncology software startup called Gamma Basics, which was absorbed in 2013 by Varian Medical Systems. His current venture, MedCrypt, is backed by influential investing companies like Sway Ventures and Section 32. CEO Mike Kijewski cited an unusual source for triggering the idea for MedCrypt. After watching an episode of the TV show Homeland in 2012 in which the vice president’s pacemaker is hacked by terrorists, his initial thought was whether or not this could actually occur. As it turns out, that is actually possible. Once he made this discovery, he began researching vulnerabilities in the security of networked medical devices, such as pacemakers, diagnostic imaging systems, and insulin pumps. When he found out that it wouldn’t be easy to implement a solution for cybersecurity that was already in existence, he decided to create one.
Security Requirements
Over the years, medical companies have been making a great deal of progress in regards to the security of their devices. However, there are still improvements that need to be made, particularly as the medical devices that collect patient data are increasingly heading home with patients. Outside of the hospital, there hasn’t been a regulatory standard to ensure that these devices remain secure, protect patient data, and keep patients safe from interference through outside sources.
In October 2018, the Food and Drug Administration (FDA) released its medical device security requirements, addressing necessary changes for medical device manufacturers. The pre-market guidelines make it a built-in requirement that medical devices must be secure by design before being released. MedCrypt’s solutions provide vendors with a way to easily incorporate cybersecurity tools into their products. Among the important cybersecurity tools offered by MedCrypt are data encryption on devices to monitor the way that devices behave; the implementation of software patches, if necessary; and the addition of cryptographic signatures to ensure that the devices have not been compromised. Most importantly, MedCrypt designs these cybersecurity tools with medical devices as a priority.
Many options for cybersecurity exist for other smart or connected devices, like thermostats or doorbells, and these solutions are sometimes used for medical devices, as well. While it seems like this should work because such items often use similar processors or software, problems that compromise patient safety can occasionally arise. One such instance was the disruption of a patient’s heart procedure by a virus scan. This is a risk that medical professionals shouldn’t really be taking with patient safety. MedCrypt can avert these problems by ensuring that their cybersecurity tools work with nearly medical device.
Since MedCrypt also monitors how devices behave and constantly checks for security vulnerabilities, it is much easier to incorporate patches to ensure that devices remain secure. MedCrypt maintains a software library for different devices and searches for possible vulnerabilities that hackers might try to exploit, notifying medical device vendors about potential problems.
Future Applications
While FDA regulations focus on issues related to intra-device security (security focused on only one device and its core operations), MedCrypt has its eye on the future, as well. Inter-device security is likely to become just as important as more devices share data. These devices are typically managed by hospitals, and the communication can be configured in a few different ways. As these issues become more prevalent, MedCrypt hopes to help medical device vendors and hospitals with cybersecurity solutions to ensure that communication can be carried out in the most secure way possible.
In our ever-changing health care environment, more connected devices are entering our homes, putting us at an increased risk of security breaches. Companies such as MedCrypt are seeking to protect patient security by implementing simple solutions in only a few lines of code.