MedCrypt, Kansas State University Launch Medical Device Security Research Project

July 12, 2023 - MedCrypt, a cybersecurity solution provider for medical device manufacturers, announced a partnership with Kansas State University (KSU) to drive medical device security research. MedCrypt provided a grant to KSU to quanitfy regulatory and cybersecurity risk in the medical field.

As previously reported, medical device security remains a pain point for healthcare organizations and medical device manufacturers as they grapple with increasingly complex networks of connected devices and their accompanying security risks.

What’s more, on October 1, the US Food and Drug Administration (FDA) will begin exercising its authority to refuse medical device submissions on the basis of cybersecurity. The looming October 1 deadline provides a “call to action for Medical Device Manufacturers (MDMs) to prioritize cybersecurity,” the press release stated.

To drive improvements in this space, the research team, led by Dr. Eugene Vasserman of KSU and Dr. Seth Carmody, VP of regulatory strategy at MedCrypt, will first focus on validating tools used to assess client risk and quantifying cyber risks associated with interconnected medical devices.

"Partnering with Kansas State University allows us to focus on a critical research initiative," said Carmody. "This partnership validates the value of our risk assessment tools and strengthens our capacity to tackle evolving challenges in medical device cybersecurity. By leveraging academic expertise, industry insights, and an understanding of new rules and regulations, we are confident that our joint efforts will lead to significant advancements."

The research team aims to consider risk from both business and technical perspectives, integrating threat modeling, vulnerability monitoring, and incident response along the way. Specifically, the team has set its sights on developing a customizable and expandable platform to provide recommendations for “addressing current and future current and future technological, regulatory, and business risks.”

MedCrypt and KSU said that the project would result in research papers and software artifacts that can help the industry gain knowledge and reduce risk.

 "I am honored to lead this research and work closely with MedCrypt to address challenges in medical device cybersecurity," said Vasserman. "Our research will not only provide a holistic understanding of cybersecurity risk in the medical field but also contribute to developing standards and policies that will help strengthen the safety and integrity of medical devices. Together, we aim to make lasting improvements to the industry and protect patients from ever-evolving cyber threats."

Healthcare security experts have long sought to address medical device security issues, but a lack of data has made it difficult to quantify risks and know what to prioritize. In October 2022, the Medical Device Innovation Consortium (MDIC) tackled this issue by releasing its first medical device security maturity benchmarking tool and report in collaboration with Booz Allen Hamilton and the Health Sector Coordinating Council (HSCC).

The report, consisting of survey responses from 17 medical device manufacturers, shed light on significant security gaps. The report found that “the industry as a whole has a low level of cybersecurity maturity.”

Future research in the medical device security space can help healthcare organizations, device manufacturers, security companies, and regulators manage risk more efficiently and effectively.