Six months after an episode of “Homeland” showed hackers exploiting security vulnerabilities in the (fictional) vice president’s pacemaker, Mike Kijewski, the founder of a new startup security company called MedCrypt, was approached by his (then) employers at Varian Medical Systems with a unique problem.
“A hospital came to the company and said we are treating a patient and a nation-state may attempt to assassinate the patient that we’re treating by using a cybersecurity vulnerability in a medical device to do it,” Kijewski recalled.
At the time, there were no universal solutions to those types of security threats — so companies were left to cobble together one-off solutions for their devices, which is what Kijewski’s former employer likely attempted to do.
Ever since, Kijewski became obsessed with the security holes that exist in the foundation of the healthcare industry’s practice — the devices used to diagnose and treat patients.
“My partner Eric Pancoast and I looked into the problem of medical device cybersecurity and we found two things,” says Kijewski. “Number one there were no regulations forcing medical device companies to use cybersecurity protections at all. Number two, any given company has only one core competency — maybe two. And are medical device vendors going to have cryptography and cybersecurity competencies?”
MedCrypt was launched in 2016 to ensure that medical device manufacturers wouldn’t need to be cryptographic experts. The company is graduating from the latest batch of Y Combinator (after raising a $3 million seed round from Eniac Ventures and other investors) with a pitch to secure medical devices using just a single line of code.
It’s a technological necessity thanks to new guidelines from the Food and Drug Administration requiring medical devices to include security features like encryption, signature verification and intrusion detection.
By inserting a single line of code into the software of a device, MedCrypt can provide the security manufacturers need at the device level, according to Kijewski.
The company not only encrypts the data on the device, but it also provides intrusion detection services by analyzing medical device metadata to identify standard device behaviors and deviations from that behavior, Kijewski said.
MedCrypt is one of a growing number of startups that are securing medical devices and hospital networks as the threats to the healthcare system proliferate.
Other startups are working on protecting hospital networks. Companies like Medigate, founded by former officers from the Israeli Defense Forces, which just raised $15 million from investors, including YL Ventures and US Venture Partners, and Cylera, which is backed by Samsung Next and launched from the DreamIT healthcare accelerator, are two such companies.
By 2017, a Becker’s Health IT CIO Report counted more than 107 technology companies pitching cybersecurity solutions to healthcare practitioners and medical device manufacturers.
It’s little wonder so many companies are pouring in to close the (data) breach in healthcare, given the scope of the problem.
A 2018 report from Experian cited by U.S. News indicated that 233 breaches were reported to the Department of Health and Human Services, media or state attorneys general in the period from January to June 2017. And for the 193 attacks where the scope of the breach was calculated, roughly 3.2 million patient records were affected.
Experian predicts healthcare cybersecurity spending will be a $65 billion industry by 2021.
Still, some of the security problems that hospitals face can be solved with some fairly basic updates. Indeed, perhaps the most critical — and the one that left hospitals most exposed — is just ensuring that their technology can accept patches and security upgrades. Many of the attacks that crippled health networks came down to an inability to upgrade their Windows operating systems.
Sometimes, all it takes is tightening the screws to make sure the machines don’t fall apart.
“Connected medical devices — from patient monitors, MRIs and CAT scanners to infusion pumps and yet-to-be invented devices — are critical to the delivery of healthcare today and are revolutionizing the care of tomorrow,” said YL Ventures founder Yoav Leitersdorf in a statement announcing Medigate’s 2017 financing. “These devices are inherently different from traditional IT endpoints and can’t be protected by currently available products and practices. With the pandemic of cyberattacks targeting healthcare providers, far too many connected devices are left vulnerable and exposed, putting patient health and privacy at risk.”