An episode of “Homeland” guided Mike Kijewski to founding MedCrypt, a medical device security startup that began operations in January 2016. In it, the vice president has his pacemaker hacked, the end result being a heart attack that kills him—assassination by cybersecurity negligence, in effect.
“When I started researching medical device security, not only did I find out that was possible, but that most medical devices out there really lack any basic device-security technology,” said Kijewski, who serves as CEO.
With seed funding raised, the San Diego-based startup is now six months into its sales cycles, working with several smaller vendors on implementing cybersecurity measures for their medical devices. Kijewski’s startup had identified about a half-dozen basic security features that should be present on all devices, all of which MedCrypt plans to make available to companies through downloadable code from its website. Once installed on the device’s software and firmware, MedCrypt’s code allows for real-time device monitoring, which serves to alert vendors about suspicious behaviors so they can root out security threats.
Mike Kijewski, MedCrypt CEO.
Kijewski said the plan is to make the downloadable code free for vendors, in a phone call with MedCity News. Payment to MedCrypt would kick in once a vendor’s medical device begins reporting behaviors to the MedCrypt servers.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
“Downloading of the code really should be free. People want to play around with it,” he said. “Then they put that code in their firmware or software application. As soon as the device is active and out in the field, it starts talking to our servers to report if anything looks suspicious.”
Among the security features MedCrypt provides are encryption keys to ensure any instructions a medical device receives haven’t been tampered with or sent in error. Most medical devices are networked machines, with two or more computers sending and receiving data and commands. Think of a pacemaker that’s connected to a cell phone via Bluetooth. If that pacemaker receives an instruction, how does the device know it’s a valid instruction sent from an authorized user, as opposed to a malicious command ordered by a hacker? MedCrypt provides an encryption key, similar to PGP used to send secure emails, to ensure that data delivered to the medical device came from a trusted source.
QuiO is one company MedCrypt is already working with. The New York-based company makes an at-home, cloud-connected injection device that could be used during the course of clinical trials for biologic drugs. Such drugs involve complex injections that must be done at a certain rate and time.
“So the device will automate the delivery of the drug at home, and then sends a record into [QuiO’s] cloud service so the drug company can use that data in clinical trial submission,” said Kijewski. “On the actual device, [MedCrypt encrypts] the data so that if someone were to intercept the data, they couldn’t read it.”
Medical-device cybersecurity is an interesting new challenge for Kijewski, who started out his professional career as a high school physics teacher in Downingtown, Pennsylvaia, a town about an hour west of Philadelphia, after graduating from West Chester University with a bachelor’s in physics. After three years teaching, he took a job doing radiation safety analysis of radiation oncology equipment at hospitals, and then enrolled in the University of Pennsylvania’s master’s program in medical physics.
During graduate school, Kijewski started a company to design software that would make his previous job, testing the safety of radiation oncology equipment, easier. That company, Gamma Basics, snagged Varian Medical Systems—what Kijewski calls the “Apple of radiation oncology”—as a first customer. By that time, in 2012, Kijewski had completed his master’s degree and was preparing to graduate with an MBA from the Wharton School.
Eventually, Varian acquired Gamma Basics in an asset deal for several million. While working at Varian, Kijewski went looking for other medical IT problems to solve, and that’s when he began researching the security vulnerabilities of networked medical devices, such as pacemakers, and discovered the main problem.
“It wasn’t the case that existing security technologies were inadequate for medical devices,” he said. “It’s that medical device manufacturers fail to implement these technologies at all. Or, if they do, they get it wrong.”
Security is a growing area of concern not only for medical device companies but also for the Food and Drug Administration, which released nonbinding security recommendations for companies in December. The FDA report, “Postmarket Management of Cybersecurity in Medical Devices,” contains a set of requests for medical-device vendors to implement certain security features into their devices, like proactive monitoring of hacking. Kijewski contends that some of these features are difficult for medical-device companies to implement, hence the need for a startup like MedCrypt.
“A medical device company’s core competency is not cybersecurity,” he said. “We think there’s a huge opportunity to help these device vendors comply with what the FDA is asking.”
Photo: turk_stock_photographer, Getty Images
