As healthcare becomes increasingly computerized, doctors and hospitals are becoming bigger targets for hackers. MedCrypt, a two-year-old San Diego startup, has developed software that makes it easier to secure the myriad of medical devices from different manufacturers in use on a healthcare provider’s network. The software also monitors those devices to spot any suspicious activity. Times of San Diego spoke with Mike Kijewski, co-founder and CEO, about the business opportunities in medical device security.
1. Why did you start MedCrypt?
In the past, few people thought about medical devices being targeted by hackers. When I started researching device security, not only did I find out that was possible, but that most out there really lack basic device-security technology.
Especially as IoT and healthcare converge, devices are proving to be an easier target for cyberattacks than we once thought, making it vital for the entire industry to up its cybersecurity protection. MedCrypt was founded to tackle the main problem networked medical device manufacturers face: implementation of security technologies.
2. How secure are the medical devices in general use today?
Most medical devices in the field today were developed with the assumption that they’d be deployed on a secure hospital network. That assumption is no longer a safe one. Hospital networks have been under frequent attack by hackers over the last 18 months. Also, attempts to decrease the cost of healthcare have pushed many devices out of the hospital and into the patients’ home.
Medical device vendors have just started putting together strategies to secure these devices from the types of attacks hospital networks have seen. Some of the security features these devices need are difficult for companies to implement, revealing a huge opportunity for MedCrypt to help them do so as well as comply with new FDA regulations.
To elaborate, most medical devices are networked machines, with two or more computers sending and receiving data and commands. Think of a pacemaker that’s connected to a cell phone via Bluetooth. If that pacemaker receives an instruction, how does the device know it’s a valid instruction sent from an authorized user, as opposed to a malicious command ordered by a hacker.
3. What new technology have you developed to securely encrypt data?
The problem in medical device security isn’t that existing encryption technologies are inadequate for these devices; it’s that the existing technologies are hard to implement. Our innovation focuses around making these technologies easy for medical device vendors to implement, and then monitoring device behavior to spot suspicious activity. Since we focus solely on securing medical devices, we are better able to understand what “normal behavior” looks like for a medical device than a company focusing on securing IoT devices more broadly.
Security is a growing area of concern not only for medical device companies but also for the Food and Drug Administration, which released new security recommendations for companies last year. The FDA report contains a set of requests for vendors to implement certain security features into their devices, like proactive monitoring of hacking. Our technology helps companies meet regulatory requirements, helping put these new requirements into action.
4. How does your centralized monitoring service work?
When a medical device, like an x-ray machine, receives an instruction from another endpoint on the network, the device first uses our technology to determine if it is safe to follow that instruction. Then, if an internet connection is available, it sends us some meta-data about that activity (not patient data), like the origin of the instruction, and if the cryptographic signature looked valid. Just by tracking the origin and frequency of the data being sent between these endpoints, we can spot attempts to manipulate these devices.
5. It seems there’s a new hacking scare almost daily. How secure can you make medical devices?
Nothing is “un-hackable.” Anyone that says their system can’t be hacked is overly optimistic at best. However, we can make these devices impractical to hack. A big reason that hospital and healthcare networks’ IT systems have become a target for hackers is that they have been so easy to breach. By using the same security technologies used in ATMs, we can make it difficult enough for hackers to break into medical devices that they focus their attention elsewhere.
Times of San Diego, a startup itself, regularly writes about startups in technology, biotech and other sectors of local business. If you are a startup in the San Diego area and want to tell your story, please contact firstname.lastname@example.org.