QuiO’s Smartinjector platform, as covered previously on Medgadget, is poised to become the first set of cloud-connected injectable therapy delivery devices available for in-home use. Following their recognition at January’s Accenture Startup Health Festival as the winner of the HealthTech Innovation Challenge, the QuiO team has seen a stark increase in demand for their devices. Now they are taking aim at addressing the potential future data security risks that accompany the increased interest.
Last week, they announced a partnership with MedCrypt, a California-based medical device data security company, to ensure that their products will allow for safe, cloud-based transmission and storage of patient prescription and injection data. Integrating MedCrypt’s software into the QuiO platform will support the proactive monitoring of potential data security breaches and combat the rapidly advancing sophistication of ransomware attacks.
QuiO CEO Alexander Dahmani and MedCrypt CEO Mike Kijewski were kind enough to provide exclusive comment to Medgadget regarding the motivation for and significance of their partnership.
Zach Kaufman, Medgadget: Would you be willing to offer additional insight as to why the bolstering of data security is important to the success and adoption of Smartinjector devices? What types of downstream effects of tampering efforts are you seeking to prevent via this partnership?
Alexander Dahmani, QuiO: We need to be confident in the medication consumption data we’re collecting from our Smartinjector devices, because it will be used by healthcare professionals to make treatment decisions. There are also a number of device features that we need to protect, including the drug delivery mechanism and the medication reminders. We don’t want a hacker to be able to modify the programmed dosing schedule and incorrectly suggest to the patient to take a dose. MedCrypt’s technology allows us to protect against all of these risks.
Mike Kijewski, MedCrypt: Sometimes medical device vendors need to be certain that the data they are receiving from their devices came from a trusted source. For example, a device like QuiO’s Smartinjector could be used during a clinical trial. The research organization analyzing the clinical trial data, and ultimately the regulatory agency assessing the efficacy and safety of the drug in question, need to be certain that the data being reported from these devices hasn’t been tampered with. Our system makes it easy for a device vendor to cryptographically sign the data on the device itself, establishing the provenance of the data in question.
Medgadget: What types of ‘suspicious behavior’ does MedCrypt’s technology monitor and seek to prevent?
Kijewski: One of the first things a hacker would do when trying to compromise a device is send it a variety of instructions and data and see how it responds. MedCrypt-enabled devices report individual transactions to a centralized system, meaning that we can spot instructions being sent to the device from unusual sources, and alert the device vendor.
Medgadget: How does MedCrypt’s data protection software separate itself from status quo data security practices? Under what conditions do common alternative methods fall short?
Kijewski: There was a case last year where a medical device that was in use during a cardiac catheterization procedure restarted due to an anti-virus update. Companies that make security tools for enterprise network security or personal computer security are generally unfamiliar with the regulatory requirements and usage patterns of medical devices. MedCrypt has been developed with medical devices vendors’ regulatory obligations in mind.
Medgadget: The technical sophistication with which malicious attacks are carried out is constantly increasing. How does MedCrypt’s machine-learning-based behavior analysis system help its protective services outpace those advancements?
Kijewski: The core functionality of MedCrypt gives device vendors an easy to use API for common cryptographic functions. But since we’re issuing unique keys to all of the devices using our system, we’re able to passively observe transactions between these devices, not unlike watching financial transactions. Our system learns what a device’s usual usage pattern is over time, and alerts MedCrypt if usage pattern changes. For example, if a surgical robot receives on average 10,000 instructions per day from its control console, but suddenly it’s receiving 1,000,000 instructions per day from a new IP address, our system would flag that as a change in behavior.
Additional Medgadget Coverage of QuiO Devices: QuiO’s Smartinjector Connected Drug Delivery Device Anticipates 2017 Release…
QuiO Company Page: QuiO…
MedCrypt Company Page: MedCrypt…
Press release: MedCrypt and QuiO Partner on Device Security for Safe Transfer of Patient Prescriptions and Injection Data…