Launch HN: MedCrypt (YC W19) Medical Device Cybersecurity

Hi HN! We're Eric and Mike, founders of MedCrypt ( https://www.medcrypt.com

). Our mission is to make it easy for healthcare technology companies to build cybersecurity features into their products.

I (Mike) was previously a product manager at a medical device company and witnessed an increasing concern about the security posture of Internet-enabled medical devices. This culminated in a couple of big device companies needing to issue recalls for their medical devices due to cybersecurity vulnerabilities. It struck me as an interesting transition from cybersecurity being a compliance requirement and instead a concern when managing patient safety.

Being concerned about the lack of resources available to implement data security properly, or at all in some cases, we decided to build a platform that helps healthcare software and medical device companies properly integrate data security features into their products, while actively monitoring them for vulnerabilities and suspicious behavior.

We address this problem by providing our customers with a configuration driven library that exposes a simple API to access data security operations, crypto library versioning/vulnerability tracking, key management, and device behavior monitoring. The features our solution provides also happen to cover all of the FDA’s new requirements for data security in medical devices ( https://www.fda.gov/downloads/MedicalDevices/DeviceRegulatio... ). These requirements place special emphasis on proper data encryption, signature verification, intrusion detection, and vulnerability monitoring.

While medical device vendors could go through the trouble of pulling together open source crypto libraries, certificate authority APIs, and monitoring solutions, or even write some of their own from scratch, we believe MedCrypt's platform offers a better alternative. We handle the complexity of integrating open source crypto libraries with PKI and monitoring infrastructure and provide simple API calls for key provisioning, certificate generation, data security ops, and monitoring.

Medical device vendors use their account on the MedCrypt platform to tell us about the individual computing components that make up their device, what types of data are stored or transmitted over the wire, and what kind of security is required. This allows us to point the vendor to the appropriate MedCrypt library (C/C++ libraries or bindings for NodeJS, Java, C# .NET, etc.) to use for each component and creates a generic provisioning configuration that the MedCrypt library uses to generate the appropriate key pairs, communicate with PKI, and register CBOM metadata for vulnerability tracking purposes.

Once the device and its keys are approved (via our provisioning API or predefined filters) and the certificates and signed configuration are delivered to the device, MedCrypt's library uses the certificates and the security configuration to enable simple API calls to secure the device's data.

For example, after being provisioned, if a glucose monitor is required to sign each set of measurement data sent to a central system called "data-capture", the API call is boiled down to:

int returnCode = glucoseMonitor.dataFor(&securedData, "data-capture", rawMeasurementData);

Under the hood the MedCrypt library is using the signed data security configuration to select the cryptography resource, sign the data with the appropriate secret key, construct a data payload that encapsulates the original data and signature for delivery to the "data-capture" server, and (if enabled) registers monitoring events with regard to when and with which keys a signing operation occurred.

On the other end, the "data-capture" server can verify and get access to the measurement data through an API call:

int returnCode = dataCapture.dataFrom(&rawMeasurementData, "glucose-mon", secureData);

Again, underneath, the library is using the configuration to establish what type of security is required for this data and whether it can trust the public key referenced by the signature on the measurement data. If the public key is trusted and the signature is verified then the original measurement data is returned to the user. The signature data can also be returned so that the integrity and provenance of the measurement data can be verified in the future. If enabled, an event is recorded indicating the status of the signature verification and from which device/keys it was generated with.

The library can also be used to apply security to sockets, encrypt data at the application level, and monitor additional events, all driven by the signed configuration describing the security preferences for this device.

When our monitoring service receives metadata about the security events on the device, we can then scan for anomalous behavior. Our behavior-monitoring baselines are developed using the data from multiple classes of medical devices from multiple vendors, giving our customers access to a dataset larger than they’d be able to build on their own.

Medical device vendors should be able to focus on building innovative clinical features while using best of breed tools and platforms for things like security. We believe we’re building security tools in a way that optimizes data security without compromising clinical functionality.

We’d be excited to hear your feedback, and how you think a healthcare-specific cybersecurity company can help medical device vendors facilitate secure connectivity.

Please check us out at https://www.medcrypt.com