San Diego In 2016, a medical device crashed during heart surgery after misconfigured antivirus software opened.
The surgery at an unidentified facility went off without harm, but Mike Kijewski said the incident demonstrates a clear need: cybersecurity geared specifically for medical devices.
He’s the CEO of Medcrypt, which at the end of June locked down a $1.9 million funding round to help medical device vendors build cybersecurity features directly into their products, amid rising fears of hacking and breaches.
“From a competitive landscape perspective it’s really a relatively new field. You see a lot of existing cybersecurity companies trying to find ways to apply their existing products to this problem. Sometimes this works well. Sometimes it doesn’t,” Kijewski said.
CEO: Mike Kijewski
Funding to date: $3 million
Headquarters: Solana Beach
Company description: Medcrypt helps medical device vendors build cybersecurity features directly into their products.
While he noted the software heart surgery episode, Medcrypt isn’t in the antivirus software business. In the simplest terms, it encrypts data sent to and from medical devices.
The company also remotely monitors metadata to spot abnormal device behavior. For instance, a CT machine and control system might average 1,000 communications a day, but spikes in that number and failed identification tests signal something may be awry.
At that point, Medcrypt would notify the device manufacturer.
The company’s $1.9 million round was led by Eniac Ventures, with additional backing from Sway Ventures, Nex Cubed, Oronoco Investments and Friedman BioVentures. To date, the company has brought in $3 million in funding.
The capital comes as medical devices increasingly transmit data, aiding treatment decisions and remote monitoring, but also creating cybersecurity vulnerabilities. The U.S. Food and Drug Administration in April put forward an action plan promoting improved protections, building on existing measures.
“Medical devices from insulin pumps to implantable cardiac pacemakers are becoming more interconnected, which can lead to safer, more effective technologies. However, like computers and the networks they operate in, these devices can be vulnerable to security breaches, and exploitation of a device vulnerability could threaten the health and safety of patients,” states the FDA plan.
FDA documents lay out what medical device cybersecurity measures should be in place before regulatory submissions and post-approval. These documents are in draft form, but should be finalized in the near future. That’s according to Bethany Hills, the chair of law firm Mintz Levin’s FDA practice.
For medical device companies, much is at stake. Even the potential of a breach could be devastating.
“If you’re a medical device vendor and sell a medical device that’s found to have a significant cybersecurity vulnerability, that’s going to end up costing your company a lot of money, whether it’s via a recall or loss of branding of value,” Kijewski said.
Initially, Medcrypt envisioned primarily selling hospitals on cybersecurity for existing devices. But, according to Kijewski, hospitals feel these measures should come out of the box. In addition, devices already on the market can only be tinkered with so much before triggering a new regulatory process.
So Medcrypt “moved upstream” to work more with medical device vendors, Kijewski said.
Its customers include Reflexion Medical, QuiO and more. Medcrypt, based in Solana Beach, has six employees, and plans to have around 10 employees by the end of the year. The company was incorporated in 2016.
Kijewski said its software aims to save time and money, versus in-house engineers taking a crack at cybersecurity. He likened this to database server products, which companies typically buy off the shelf and tailor to their needs.
“This allows the engineers and a medical device vendor to focus on their core competency,” he said.
Suite of Tools
Medcrypt offers a suite of tools, which companies can pick and choose from. Full-blown encryption, for instance, may consume too much device battery power.
Besides medical devices, long term Kijewski sees potential in other health care applications, like what’s called a picture archiving and communication system, used in diagnostic imaging. But medical devices are the focus.
He said San Diego is an ideal home, given the good number of medical device companies — think ResMed and Dexcom — a wealth of cybersecurity talent and the relaxed lifestyle.