10 Medical Device Cybersecurity Startups
As medical devices become more pervasive, there’s an increasing concern about cybersecurity. Cyber-attacks have been targeting practically every connected device available in the market today, with an average of one hack attempt every 39 seconds. Medical devices being hacked also damages brand reputation very quickly. (The notion of someone stealing your password is a whole lot different from thinking about somebody tooling around in your grandma’s pacemaker.) It’s not just pacemakers, but all kinds of medical devices that humans walk around with every day that can be subject to cybersecurity breaches.
Sensitive information from the healthcare sector is proving to be attractive for hackers with healthcare leading in the number of cybersecurity breaches in 2018. That increased interest doesn’t bode well given how costly healthcare data breaches can be.
In order to combat cybersecurity threats, we’re increasingly turning to artificial intelligence which can identify threats before they even take place (unlike more old-school approaches like looking up signatures in an external database.) With 10 to 15 connected devices found in every hospital bed in ‘Murica — all of which are vulnerable to cyber-attacks — cybersecurity breaches can cause all sorts of havoc. Let’s take a look at 10 medical device cybersecurity startups looking to secure medical devices.
Founded in 2017, New Yawk startup Cylera has taken in $5.5 million in funding so far from investors that include Samsung Next. Cylera has developed an entire suite of security products that provide a holistic solution to all your IoT security needs. MedView passively finds all IoT devices that can be exploited. MedWell then builds virtual clones of the devices – think digital twins – and actively analyzes these virtual clones to find things to exploit. MedFortify generates and implements tailored risk mitigation plans. MedDefend provides real-time threat detection using AI algorithms to detect threats like malware. (Cylera recently found a flaw that enables malware to embed itself within medical imaging files.)
Founded in 2015, Silicon Valley startup Armis Security raised $65 million in funding last month from a Series C round headed by Sequoia Capital which brings total funding to $112 million. Armis claims that its edge over competitors is a Software-as-a–Service (SaaS) solution that can be operated “agentless” and has the capacity to autonomously determine threats before devices even connect to a network. (In most organizational environments, at least 40% of the devices on your network are not seen, and 60% are unmanaged.) Armis accomplishes this by monitoring the wireless environment, tracking all devices, controlling what connections are allowed, and inspecting traffic for threats.
The Armis platform can also automatically disconnect and quarantine any suspected malicious hardware without overriding any existing access control policy in the network. According to a recent article by VentureBeat, Armis monitors “46 million devices worldwide, and while it prefers to keep client names under wraps, it says that it has “multiple” multimillion-dollar contracts with enterprises and deployments in more than 25% of the Fortune 100.”
Founded in 2015, Portland, Oregon startup Senrio has taken in an undisclosed amount of funding from investors to develop a platform that “instantly identifies, classifies and categorizes all the devices on your network, adding information about them to a living, dynamic record.” Senrio analyzes the blueprint of all the identified network devices in a client’s IT environment using just network data. To date, Senrio has provided its services to clients including Samsung, Google, HP Blackberry, Comcast Xfinity, and National Security Agency. You wouldn’t be able to tell that by looking at their website which offers up a user experience that makes waterboarding look like a whole lot of fun.
Founded in 2016, Encinitas, California startup Medcrypt has taken in $3.1 million in funding to ensure that all data communications involving medical devices take place only between trusted sources using real-time remote monitoring. New FDA guidance requires device developers to implement data encryption, signature verification, and behavior monitoring into medical devices. “With just a few lines of code, MedCrypt brings regulatory mandated and industry-leading cybersecurity practices to medical devices, from pacemakers to surgical robots,” says the company whose founders already have one success story under their belt having sold their last startup – Gamma Basics – to Varian in 2013.
For example, since the FDA released their Cybersecurity Guidance in 2016, device vendors reported 400% more vulnerabilities per quarter. Of those vulnerabilities, 66% were caused by code defects and user authentication issues.
Update 05/7/19: MedCrypt has raised $5.3 million in new funding to expand its team, adding new members in sales and engineering roles, and further develop its technology. This brings the company’s total funding to $8.4 million to date.
Founded in 2016, Ontario, Canada startup Cybeats has taken in $3 million in funding to take an “inside-out” approach to cybersecurity by implanting a “microagent” in the IoT environment that complements the already existing software and hardware of the medical devices. From the inside, the Cybeats microagent instantly detects and blocks the threats found in the firmware and reduces downtimes during which the system becomes vulnerable to attacks. Cybeats Microagents are tiny – mere kilobytes in size – and have strictly controlled CPU and IO consumption with all heavy processing performed by the Cybeats cloud service. Similar to Cylera, Cybeats also “builds and maintains dynamic models of healthy device behaviors” so they can detect abnormal behavior (as opposed to relying on an external database of threats and vulnerabilities.)
Founded in 2017, Israeli startup Cynerio has taken in $7 million in funding to help protect the Internet of Medical Things (IoMT) using machine learning algorithms to automatically discover medical devices on any given network, map the risks and vulnerabilities of the devices, detect anomalies, and prevent suspicious communications. Cynerio claims that a key competitive advantage is their founders who are both graduates of the Israeli Defense Forces’ elite cybersecurity and information gathering team, Unit 8200. Rambam Hospital and Tel Aviv Medical Center are two of the world’s top healthcare organizations using Cynerio’s technology to protect sensitive data.
Founded in 2011, Virginia startup Risk Based Security has taken in an undisclosed amount of funding to develop – well, it’s kind of hard to say, because they appear to have used the same website designer as Senrio. (Companies sometimes get angry when we take the piss out of their web presence, but it’s 2019, and there’s no excuse for tech startups not to have websites that are easy on the eyes and clearly convey a value proposition without the need to dig for it.) The firm offers “a complete arsenal of world-class cybersecurity services” which includes things like penetration testing, cybersecurity training, digital forensics, and incidence response. We did find this interesting chart on their blog which shows how prevalent ransomware is in the healthcare industry.
Ransomware is when a hacker gains control over some asset of yours and demands that you pay money to release them. It’s often just a matter of simply whipping out your credit card and paying, and many healthcare firms opt to take this route and quickly make the problem go away while also avoiding any bad media exposure.
Founded in 2017, Silicon Valley startup Xage Security has taken in $16 million in funding from investors that include General Electric and Saudi Aramco Energy Ventures to develop a method of implementing cybersecurity measures that restrict access to a client’s network. To ensure that only authorized machines and personnel get in the system, Xage Security’s platform requires an approved MAC address along with authorized fingerprints. A certificate will also be installed to the devices in order to guarantee that the machine requesting access has been truly verified and possesses authorization from the pertinent department. In case a bad actor manages to breach the system, Xage contains the threat by locking down the affected sector. That way, the threat won’t spread across the entire network. Healthcare is just one of many industries they service with products used by more than 1,000 companies across the globe. They also use blockchain technology which is perhaps the first time we’ve seen blockchain used for a cybersecurity application.
Founded in 2017, New Yawk startup CyberMDX has taken in $10 million in funding from investors to develop an unobtrusive cybersecurity software product called MDefend which can protect your devices without the need to install anything on the medical devices themselves. The company aims to create a “holistic solution” to cybersecurity threats by building a system that can automatically identify, alert, and secure every device that connects to a hospital’s network. Like Cynerio, one of CyberMDX’s competitive advantages are the company’s founders who are considered top experts on security – Amir Magner previously worked as the head of the Israeli Prime Minister’s Office’s Cyber Division while Moti Shniberg co-created Face.com which was later on bought by Facebook.
Founded in 2014, Silicon Valley startup Zingbox has taken in $23.5 million in funding from investors that include Dell to develop a product called IoT Guardian which uses machine learning to analyze network traffic and establish a baseline for “normal” behavior which can then be used to spot anomalous activities. The firm claims to offer the only “unsupervised Deep Learning solution to discern the individual personality of each connected device,” and they’re already using that technology to secure more than 11.2 million medical devices across the globe.
A collaboration with Allied Telesis gives them the ability to isolate portions of a network and quarantine gadgets until problems can be resolved.
Recent high-profile healthcare attacks like Orangeworm, NotPetya, and WannaCry show just how important it is for healthcare companies to be thinking about device security. You can’t just leave it in the hands of the device manufacturers who have their own problems to deal with. A few years ago, Abbot had to recall over 500,000 pacemakers because of security concerns. In today’s ‘Murica where people find “trial by social media” an acceptable practice, it’s increasingly important to proactively protect your reputation and protect against data breaches. By adopting solutions like the ones we’ve talked about, at least that’s money well spent on some CYA just in case you end up in a courtroom.