The Internet of Things in the healthcare sector is booming. A typical hospital has hundreds of connected devices, from implantables, wearables, monitors, workflow and imaging to patient data systems. But while these devices are helping healthcare providers automate workflows and reduce the risk of error, common security vulnerabilities found in these devices are also endangering patients.
The FBI warned in September that more than half of connected medical devices in hospitals had known critical security vulnerabilities, and these flaws are leading to a surge in attacks on the healthcare industry.
This uptick in vulnerabilities has also led to increased regulation. After COVID-fueled delays, the U.S. Food and Drug Administration this year released updates to its premarket cybersecurity guidance and postmarket cybersecurity guidance, outlining recommendations related to the design and maintenance of medical devices.
“That's when we started to see device manufacturers really start to make changes,” said Mike Kijewski, founder and CEO of MedCrypt, a San Diego-based maker of cybersecurity software for medical devices. Prior to founding MedCrypt, Kijewski was the founder of Gamma Basics, a radiation oncology-focused software startup.
MedCrypt is a Y Combinator graduate that provides software for anything the FDA would consider a medical device where cybersecurity could be a concern, from insulin pumps and heart rate monitors to AI-based radiology tools and autonomous robots. These devices all suffer from three common problems, Kijewski tells TechCrunch: outdated software, user authentication and a lack of good cryptography.
“Historically, healthcare companies would assume that, well, if my device is running inside a hospital, we can trust the people inside the hospital, and if a bad guy gets into the hospital, then that's not our problem,” said Kijewski. “So they would use the same username and password for every device that gets shipped out there.”
MedCrypt this week announced that it had raised $25 million in Series B funding, led by Intuitive Ventures and Johnson & Johnson Innovation, to help device manufacturers meet these FDA requirements in order to get critical devices to market faster. The investment comes three years after it raised $5.3 million in Series A funding, a gap which the startup says was caused by the uncertainty created by the COVID-19 pandemic.
"There was a 12- to 18-month gap in the progression of the market as we had predicted it, but now we're back on track," Kijewski said.
MedCrypt works with most of the top medical device manufacturers and says its latest investment — also backed by Section 32, Eniac Ventures, Anzu Partners and Dolby Family Ventures — will help it to bolster both its product and its team to get into the hands of even more.
However, MedCrypt’s ultimate goal is far grander. “I think there’s an opportunity for there to be a very large, publicly traded healthcare-specific cybersecurity company,” said Kijewski. “I want to be the one building that company.”