MedCrypt, a healthtech cybersecurity startup founded near San Diego, has raised $750,000 in a seed financing round led by Safeguard Scientifics (NYSE: SFE), a private equity fund in suburban Philadelphia that invests in healthcare, fintech, and digital media. (Safeguard Scientifics also is an investor in Sotera Wireless, the San Diego-based maker of wireless devices for remote patient monitoring.)
Various angel investors joined in the deal, MedCrypt co-founder and CEO Mike Kijewski told me in a recent interview.
Founded in January, MedCrypt has been developing cybersecurity technology for healthcare devices that connect to the Internet of Things (IoT), including implantable medical devices and other equipment that has been shown to be vulnerable to hackers. The startup plans to use the capital infusion to refine its prototype security software as a service, and to conduct a pilot project to show that its technology works with medical devices, Kijewski said.
MedCrypt is focused on preventing the sort of thing that happened to St. Jude Medical (NYSE: STJ), Kijewski said. The St. Paul, MN-based medical device maker became the subject of a stock-shorting gambit last month over purported security vulnerabilities in its wireless pacemakers and defibrillators.
A San Francisco investment firm, Muddy Waters Capital, announced on Sept. 25 that it had uncovered “troubling cybersecurity flaws” in St. Jude’s cardiac devices, based on tests conducted by MedSec, a cybersecurity firm. The questions raised by Muddy Waters and MedSec come at a time when St. Jude’s is being acquired by Abbott Laboratories in a deal valued at $25 billion. St. Jude’s has denied that its devices are vulnerable to hacking, and Abbott has said it plans to continue pursuing the deal.
Last week, St. Jude’s filed a lawsuit against Muddy Waters, MedSec, and others—alleging they had intentionally made false and misleading claims about its heart devices to profit from a drop in St. Jude’s stock price.
Whether or not the cardiac devices prove to be hackable, Kijewski said, “What this situation has shown is that a malicious actor does not actually have to exploit a vulnerability to take advantage of it.”
The incident also has spurred questions about the ethics of publicizing the vulnerabilities of implantable medical devices, or for that matter, any connected health technologies. However that debate comes out on Wall Street, Kijewski said it is not exactly in patients’ best interest to disclose how their health data can be hacked.
MedCrypt’s security approach is twofold, Kijewski said. The startup’s system requires multi-factor authentication to access the operating system software that a company uses to manage its healthtech devices; and it encrypts patient data on each device. In a statement released today, MedCrypt says its software allows manufacturers to authenticate users, encrypt data, and cryptographically sign settings and patient prescriptions.
“We don’t need to make devices unhackable,” Kijewski said. “If you spend $20 million to make it unhackable, somebody else will spend $21 million just to get in. Our approach is that we want to make it financially impractical to hack a device. The fact of the matter is that medical devices need better [cybersecurity] solutions.”
What the St. Jude’s case highlights, Kijewski said, is an example of a company “suffering financially because of these security vulnerabilities—without even suffering a breach of their security.”
Kijewski said he began laying the groundwork for MedCrypt with co-founder and CTO Eric Pancoast in 2014, after they sold their medical physics-related software company, Gamma Basics to Varian Medical Systems. The co-founders have been working out of a co-working space in Encinitas, CA, about 30 miles north of San Diego.
Kijewski and Pancoast first teamed up in 2008 while Kijewski was a student at the University of Pennsylvania’s Wharton School. A third MedCrypt co-founder, Penn cryptographer and research professor Brett Hemenway, serves as the company’s chief scientific officer.