MedCrypt, Inc. has partnered with Kansas State University by providing a grant to drive advancements in quantifying regulatory and cybersecurity risk in the medical field. This summer, the partnership will aim to enhance medical device cybersecurity research by focusing on validating the tools used to assess client risk, incorporating a holistic approach, and seamlessly integrating technical elements and public and regulatory policy considerations.
The collaboration, led by Dr. Eugene Vasserman (KSU) and Dr. Seth Carmody (MedCrypt’s VP of Regulatory Strategy), aims to address the varied challenges of assessing and quantifying cybersecurity risks associated with interconnected medical devices and their impact on clinical care delivery, patient safety, and business continuity. The MedCrypt and KSU collaboration brings together premier research institutions to tackle challenging problems faced by MDMs. Additionally, it provides the possibility for working together between MedCrypt, KSU, and Tufts University. With the U.S. Food and Drug Administration’s (FDA’s) decision to refuse future device submissions which don’t meet minimal cybersecurity requirements by October 1, there is a call to action for Medical Device Manufacturers (MDMs) to prioritize cybersecurity.
The research will combine a comprehensive qualitative and quantitative approach that considers risks from both business and technical perspectives. I like prior “one size fits all” work, which includes analyzing the manufacturer-specific approach to cybersecurity during product line engineering and product design, product requirement and risk evaluation including compensating controls, verification and validation procedures, and post-market monitoring and support. By integrating broader cybersecurity practices such as threat modeling, vulnerability monitoring, and incident response, MedCrypt and KSU can work towards enhancing the security posture of medical devices and manufacturers. The urgency to comply with the FDA’s requirements by October 1 provides a compelling incentive for MDMs to engage with MedCrypt. Through the partnership, MedCrypt and KSU can leverage academic best practices in medical device cybersecurity while applying real-life constraints that MDMs experience every day. By doing so, they will contribute to the overall safety and integrity of interconnected medical devices, ultimately improving patient care, reducing the risk of cyber threats in healthcare environments, and placing MDM-level cybersecurity risk estimation on a firmer footing.
“Partnering with Kansas State University allows us to focus on a critical research initiative,” said Seth Carmody. “This partnership validates the value of our risk assessment tools and strengthens our capacity to tackle evolving challenges in medical device cybersecurity. By leveraging academic expertise, industry insights, and an understanding of new rules and regulations, we are confident that our joint efforts will lead to significant advancements.”
Dr. Vasserman brings extensive experience in the security of distributed systems, cyber-physical systems, and the socio-technical aspects of security. As the director of the Kansas State University Center for Cybersecurity and Trustworthy Systems (K-CaTS), he has played a pivotal role in advancing cybersecurity education and has been involved in multiple medical device cybersecurity projects, from the MDM side as well as through collaboration with the FDA. Dr. Vasserman has also received several notable recognitions, including the Commissioner’s Special Citation in 2018 as a member of the St. Jude Medical Cybersecurity Response Team, the Outstanding Service Award in 2020 as a member of the Cardiac Monitor Cybersecurity Review Team, and the Group Recognition Award in the same year as a member of the URGENT/11 Response Team.
“I am honored to lead this research and work closely with MedCrypt to address challenges in medical device cybersecurity,” said Dr. Eugene Vasserman. “Our research will not only provide a holistic understanding of cybersecurity risk in the medical field but also contribute to developing standards and policies that will help strengthen the safety and integrity of medical devices. Together, we aim to make lasting improvements to the industry and protect patients from ever-evolving cyber threats.”
The research team will develop a platform that is both customizable and expandable, integrating qualitative and quantitative metrics. This platform will provide actionable and prioritized recommendations for addressing current and future technological, regulatory, and business risks. In terms of advancing science, the project will result in research papers and software artifacts that disseminate new knowledge and provide a foundation for others to build upon. Customers of MedCrypt can anticipate a swift integration of research findings into their products and services. This integration will bring immediate benefits, such as significantly enhanced proactive risk management, specifically tailored to the processes and needs of MDMs, which will include ongoing monitoring, testing, and updating of security controls. These practices not only help meet regulatory requirements but also effectively reduce cybersecurity risks while simultaneously lowering costs by prioritizing the mitigation strategies most likely to be effective and avoiding those that may yield little long-term benefit. Ultimately, customers can have increased confidence in the security of medical devices, which leads to increased trust between healthcare providers, patients, and the technology they rely on.