Michael Barbella, Managing Editor09.18.23
MedCrypt Inc. has teamed up with Kansas State University (K-State) by providing a grant to drive advancements in quantifying regulatory and cybersecurity risk in the medical field. The partnership will aim to enhance medical device cybersecurity research by focusing on validating the tools used to assess client risk, incorporating a holistic approach, and seamlessly integrating technical elements and public and regulatory policy considerations.
The collaboration, led by Dr. Eugene Vasserman (K-State) and Dr. Seth Carmody, MedCrypt's vice president of Regulatory Strategy, aims to address the varied challenges of assessing and quantifying cybersecurity risks associated with interconnected medical devices and their impact on clinical care delivery, patient safety, and business continuity. The MedCrypt and K-State collaboration brings together premier research institutions to tackle challenging problems faced by medical device manufacturers (MDMs). Additionally, it provides the possibility for working together between MedCrypt, K-State, and Tufts University. With the U.S. Food and Drug Administration's (FDA's) decision to refuse future device submissions which don't meet minimal cybersecurity requirements by Oct. 1, there is a call to action for MDMs to prioritize cybersecurity.
The research will combine a comprehensive qualitative and quantitative approach that considers risks from both business and technical perspectives. Unlike prior "one size fits all" work, which includes analyzing the manufacturer-specific approach to cybersecurity during product line engineering and product design, product requirement and risk evaluation including compensating controls, verification and validation procedures, and post-market monitoring and support. By integrating broader cybersecurity practices such as threat modeling, vulnerability monitoring, and incident response, MedCrypt and K-State can work towards enhancing the security posture of medical devices and manufacturers. The urgency to comply with the FDA's requirements provides a compelling incentive for MDMs to engage with MedCrypt. Through the partnership, MedCrypt and K-State can leverage academic best practices in medical device cybersecurity while applying real-life constraints that MDMs experience every day. By doing so, they will contribute to the overall safety and integrity of interconnected medical devices, ultimately improving patient care, reducing the risk of cyber threats in healthcare environments, and placing MDM-level cybersecurity risk estimation on a firmer footing.
"Partnering with Kansas State University allows us to focus on a critical research initiative," Carmody said. "This partnership validates the value of our risk assessment tools and strengthens our capacity to tackle evolving challenges in medical device cybersecurity. By leveraging academic expertise, industry insights, and an understanding of new rules and regulations, we are confident that our joint efforts will lead to significant advancements."
Dr. Vasserman brings extensive experience in the security of distributed systems, cyber-physical systems, and the socio-technical aspects of security. As the director of the Kansas State University Center for Cybersecurity and Trustworthy Systems (K-CaTS), he has played a pivotal role in advancing cybersecurity education and has been involved in multiple medical device cybersecurity projects, from the MDM side as well as through collaboration with the FDA. Dr. Vasserman has also received several notable recognitions, including the Commissioner's Special Citation in 2018 as a member of the St. Jude Medical Cybersecurity Response Team, the Outstanding Service Award in 2020 as a member of the Cardiac Monitor Cybersecurity Review Team, and the Group Recognition Award in the same year as a member of the URGENT/11 Response Team.
"I am honored to lead this research and work closely with MedCrypt to address challenges in medical device cybersecurity," Vasserman stated. "Our research will not only provide a holistic understanding of cybersecurity risk in the medical field but also contribute to developing standards and policies that will help strengthen the safety and integrity of medical devices. Together, we aim to make lasting improvements to the industry and protect patients from ever-evolving cyber threats."
The research team will develop a platform that is both customizable and expandable, integrating qualitative and quantitative metrics. This platform will provide actionable and prioritized recommendations for addressing current and future technological, regulatory, and business risks. In terms of advancing science, the project will result in research papers and software artifacts that disseminate new knowledge and provide a foundation for others to build upon. Customers of MedCrypt can anticipate a swift integration of research findings into their products and services. This integration will bring immediate benefits, such as significantly enhanced proactive risk management, specifically tailored to the processes and needs of MDMs, which will include ongoing monitoring, testing, and updating of security controls. These practices not only help meet regulatory requirements but also effectively reduce cybersecurity risks while simultaneously lowering costs by prioritizing the mitigation strategies most likely to be effective and avoiding those that may yield little long-term benefit.
MedCrypt is helping healthcare technology companies ensure medical devices are secure by design. The firm provides cybersecurity products and strategic management consulting to expedite the go-to-market process of medical device manufacturers' new life-saving connected technologies. Founded in 2016 by a team of healthcare cybersecurity experts, MedCrypt is positioned to be the security catalyst for medical device manufacturers to design secure, FDA-approved technologies. To date, MedCrypt has raised more than $36 million in funding with participation from Johnson & Johnson Innovations, Intuitive Ventures, and Dexcom Ventures.
The collaboration, led by Dr. Eugene Vasserman (K-State) and Dr. Seth Carmody, MedCrypt's vice president of Regulatory Strategy, aims to address the varied challenges of assessing and quantifying cybersecurity risks associated with interconnected medical devices and their impact on clinical care delivery, patient safety, and business continuity. The MedCrypt and K-State collaboration brings together premier research institutions to tackle challenging problems faced by medical device manufacturers (MDMs). Additionally, it provides the possibility for working together between MedCrypt, K-State, and Tufts University. With the U.S. Food and Drug Administration's (FDA's) decision to refuse future device submissions which don't meet minimal cybersecurity requirements by Oct. 1, there is a call to action for MDMs to prioritize cybersecurity.
The research will combine a comprehensive qualitative and quantitative approach that considers risks from both business and technical perspectives. Unlike prior "one size fits all" work, which includes analyzing the manufacturer-specific approach to cybersecurity during product line engineering and product design, product requirement and risk evaluation including compensating controls, verification and validation procedures, and post-market monitoring and support. By integrating broader cybersecurity practices such as threat modeling, vulnerability monitoring, and incident response, MedCrypt and K-State can work towards enhancing the security posture of medical devices and manufacturers. The urgency to comply with the FDA's requirements provides a compelling incentive for MDMs to engage with MedCrypt. Through the partnership, MedCrypt and K-State can leverage academic best practices in medical device cybersecurity while applying real-life constraints that MDMs experience every day. By doing so, they will contribute to the overall safety and integrity of interconnected medical devices, ultimately improving patient care, reducing the risk of cyber threats in healthcare environments, and placing MDM-level cybersecurity risk estimation on a firmer footing.
"Partnering with Kansas State University allows us to focus on a critical research initiative," Carmody said. "This partnership validates the value of our risk assessment tools and strengthens our capacity to tackle evolving challenges in medical device cybersecurity. By leveraging academic expertise, industry insights, and an understanding of new rules and regulations, we are confident that our joint efforts will lead to significant advancements."
Dr. Vasserman brings extensive experience in the security of distributed systems, cyber-physical systems, and the socio-technical aspects of security. As the director of the Kansas State University Center for Cybersecurity and Trustworthy Systems (K-CaTS), he has played a pivotal role in advancing cybersecurity education and has been involved in multiple medical device cybersecurity projects, from the MDM side as well as through collaboration with the FDA. Dr. Vasserman has also received several notable recognitions, including the Commissioner's Special Citation in 2018 as a member of the St. Jude Medical Cybersecurity Response Team, the Outstanding Service Award in 2020 as a member of the Cardiac Monitor Cybersecurity Review Team, and the Group Recognition Award in the same year as a member of the URGENT/11 Response Team.
"I am honored to lead this research and work closely with MedCrypt to address challenges in medical device cybersecurity," Vasserman stated. "Our research will not only provide a holistic understanding of cybersecurity risk in the medical field but also contribute to developing standards and policies that will help strengthen the safety and integrity of medical devices. Together, we aim to make lasting improvements to the industry and protect patients from ever-evolving cyber threats."
The research team will develop a platform that is both customizable and expandable, integrating qualitative and quantitative metrics. This platform will provide actionable and prioritized recommendations for addressing current and future technological, regulatory, and business risks. In terms of advancing science, the project will result in research papers and software artifacts that disseminate new knowledge and provide a foundation for others to build upon. Customers of MedCrypt can anticipate a swift integration of research findings into their products and services. This integration will bring immediate benefits, such as significantly enhanced proactive risk management, specifically tailored to the processes and needs of MDMs, which will include ongoing monitoring, testing, and updating of security controls. These practices not only help meet regulatory requirements but also effectively reduce cybersecurity risks while simultaneously lowering costs by prioritizing the mitigation strategies most likely to be effective and avoiding those that may yield little long-term benefit.
MedCrypt is helping healthcare technology companies ensure medical devices are secure by design. The firm provides cybersecurity products and strategic management consulting to expedite the go-to-market process of medical device manufacturers' new life-saving connected technologies. Founded in 2016 by a team of healthcare cybersecurity experts, MedCrypt is positioned to be the security catalyst for medical device manufacturers to design secure, FDA-approved technologies. To date, MedCrypt has raised more than $36 million in funding with participation from Johnson & Johnson Innovations, Intuitive Ventures, and Dexcom Ventures.