Data security has been a hot topic in the media recently with revelations about the dissemination of user data at Facebook and breaches at other large businesses like Uber. Healthcare has also had its fair share of cybersecurity issues, with data from 18,000 Medicare members accessed at Anthem Blue Cross Blue Shield through its vendor LaunchPoint Ventures in 2017 and the ongoing investigation into Banner Health’s exposure of data from 3.7 million patients in 2018.
Like those examples, many healthcare data breaches target systems or organizations. But can data breaches target devices or tools which generate data in a patient’s medical profile? The answer is yes. In 2017, the FDA confirmed the vulnerability of St. Jude’s implantable cardiac devices. If hacked, malicious actors could use access to these devices to prematurely drain the battery or change the pacemaker’s frequency.
In response to the risks presented by modern day, digital medical devices, MedCrypt, a California cybersecurity company founded in 2016, provides a solution. The company offers data security as a service that ensures devices are only acting on and responding to direction from trusted sources. MedCrypt’s capabilities include: encrypting data sent to and from devices, cryptographically signing commands sent into a device, assigning unique keys to each system actor, and monitoring what devices are doing remotely, in real-time. In creating a comprehensive understanding of the challenges faced by medical device companies, MedCrypt helps its customer learn from and proactively prepare for threats experienced by other MedCrypt users.
To learn more about MedCrypt’s capabilities and the challenges of cybersecurity in an increasingly digital, connected world of healthcare, Medgadget spoke with MedCrypt CEO Mike Kijewski.
Michael Batista, Medgadget: Despite the relative newness of IOT (Internet of Things) and wearable technologies, many of the medical devices that are at risk for breach, like pacemakers, have been around for awhile. Has industry awareness about the risks of hackers accessing these devices been around just as long or is this a more recent concept?
Mike Kijewski: While there were a handful of people and companies thinking about this problem as early as 2008, the problem of medical device cybersecurity wasn’t broadly understood by the industry until the FDA’s cybersecurity guidance documents were released in 2016. When we first started demoing a tool to address this problem to major medical device vendors in late 2016, many of them said, “cybersecurity is not a concern in our devices.” By mid 2017, many said, “cybersecurity is a concern, but we’ve got it covered.” By the last quarter of 2017, most major device vendors had “seen the light” that this is a major issue, and one that will require collaboration between device vendors, providers, and technology companies.
Medgadget: How have medical device companies historically addressed device data and access security, if at all?
Kijewski: We know that a handful of device vendors had Product Cybersecurity teams between 2010 and 2014, but many vendors only created those positions after the FDA’s most recent guidance document in 2016. Also, it’s hard to decide if a company has actually “addressed device… security.” Proper product security is not a short-term project, but a long-term process. It will probably be another five years before we really know which companies have chosen to take a serious approach to this problem.
Medgadget: Thinking more recently, do you believe that medical device companies today, from industry leaders to your latest IOT or wearable startup, think about or plan for device data security as effectively as they should?
Kijewski: There are absolutely companies that see medical device security as being both an important safety concern and a potential business enabler. That wasn’t true two years ago. But we still see companies say they will only address product security when a regulatory agency forces them to do so. Fortunately, it seems the FDA has promised to do that in the near future.
Medgadget: What are the risks to medical device companies who experience a device breach and the patients using their devices?
Kijewski: The risks for patients can range from theft of personal data to physical harm. For medical device companies, the financial risks are really hard to quantify. We’ve seen a couple of companies drop entire product lines after a major vulnerability is found. It’s hard to know if those events were causal, but it’s clear that a recall of hundreds of thousands of implantable medical devices is neither cheap nor good publicity.
Medgadget: Let’s turn our attention to MedCrypt. How does the company help medical device businesses address their cybersecurity challenges? Specifically, what services does MedCrypt offer?
Kijewski: If you imagine a medical device vendor taking a proactive approach to product security, there are really three main activities: 1) assessing threats, 2) implementing features to mitigate those threats, and 3) monitoring and maintaining device security through the product life. That second step, security feature implementation, can be really challenging for an engineering team facing an infinite list of feature requests and bug improvements. MedCrypt’s software gives engineers writing code for medical devices easy access to security features via an API. For example, a user can call our API to cryptographically sign an instruction being sent to a device, and again to validate the signature once the instruction is received. While that may seem like a trivial engineering task, addressing all of the edge cases around key provisioning, management, vulnerability patching, cypher selection, etc. can quickly make those tasks challenging. We remove that complexity from our users’ workflow, allowing them to focus on clinical features.
Once our code is in a device, the devices send us metadata about what they are doing, allowing us to look for abnormal behavior, regardless of whether the device is on a hospital network or at a patient’s home. If you look at the FDA’s Postmarket Cybersecurity Guidance, this is one of the many things they are asking medical device vendors to build into their devices.
Medgadget: How easy it is for a medical device company to integrate and work with MedCrypt? Can you walk us through the typical steps required for a client to begin realizing the value of MedCrypt?
Kijewski: Our code gets built directly into the application software or firmware running on the medical device, so a software update of the device is required. That said, many of our early customers needed only a dozen lines of implementation code to start using MedCrypt in their existing devices. Implementing MedCrypt is several orders of magnitude easier than an engineer standing all of this cryptography up on their own.
Medgadget: Can you share a use case or examples of how MedCrypt is being used to address a medical device cybersecurity challenge today?
Kijewski: One of our early customers, Reflexion Medical, is building a PET-guided radiation oncology device. They are using MedCrypt to ensure treatment plans created in their software by clinicians are not modified before it is delivered by the device. Since very small changes in radiation dosage parameters can have huge impacts on a patient’s safety, it’s very important to ensure this data isn’t modified between the time a treatment is defined by a physician and the time it’s delivered by the device to a patient.
Medgadget: Does MedCrypt provide services to stakeholders beyond the medical device companies?
Kijewski: At the present moment, no. We feel that working directly with device vendors when their systems are being designed allows us to make the largest impact on their security posture. That said, we know that hospital CISOs will be happy to know that some devices running on their network have features like those enabled by MedCrypt. It’s one less thing for them to have to worry about.
Medgadget: MedCrypt is just getting into its third year of business, what’s on the horizon for the company as you look to the future?
Kijewski: When we were starting the company in late 2015, many investors told us that we were too early and the market just wasn’t ready to address security. I think they were right. However, we’ve seen medical device vendors take a much more proactive approach to security in the last 12 months, and we’re excited to see MedCrypt in everything from radiation oncology devices to insulin pumps and even pacemakers in the next 18 months.
I believe we’ll also start to see applications for our technology in the peripheral healthcare IT applications with which our customers’ devices interact. A PACS system, for example, ingests DICOM images produced by an imaging device. It will be great to see those PACS systems start to communicate with devices using encryption by default, and we know the PACS vendors will see the advantage to using a security tool like MedCrypt to facilitate that secure data transport.
Medgadget: In response to heightened awareness, as well as the availability of services like MedCrypt, how do you think medical device companies will evolve their perspective or approach to cybersecurity in the coming years?
Kijewski: Any medical device company that wants to be competitive in the market of connected healthcare will need to adopt a proactive approach to cybersecurity, and see it as a business enabler, not a cost center. Among the companies who do address cybersecurity proactively, the most successful ones will be those who adopt a “security by design” approach that relies on cybersecurity features directly in the device, not just reactive monitoring and documenting existing vulnerabilities.
Link: MedCrypt homepage…