The idea of a malevolent individual hacking a critical medical device may sound like the stuff of crime fiction, but it is well within the realms of possibility.
There have been no known malicious attacks on medical devices to date, but controlled hacking of pacemakers and insulin pumps has exposed their potential vulnerability.
Anita Finnegan is very aware of risk having spent over 15 years working in heavily regulated industries such as medical devices and automotive. She has a background in engineering and quality management, and when she decided to study for a PhD at the Dundalk Institute of Technology, she took the security of medical devices as her research topic. This has since developed into a cybersecurity risk management expert system called SelectEvidence.
The product, which is now market-ready, is aimed at helping medical device manufacturers to design, verify and certify their devices in accordance with the cybersecurity requirements of the US Federal Drugs Administration (FDA).
The US is a critical market for Finnegan as there are an estimated 6,500 medical device companies operating there.
“My research focused on demonstrating confidence in the security of medical devices,” Finnegan says.
“I developed a method that gained a lot of attention within the medical devices domain and as a result was invited to author a number of international standards to provide a guidance framework for manufacturers. The initial framework far exceeded the scope of a PhD and was a manual process. I saw the potential to develop software to automate and ultimately commercialise the process and this led to the development of SelectEvidence.”
Medical device cybersecurity has become a hot topic over the last number of years and controlled hacks have shown up weaknesses such as hard-coded passwords, open ports and lack of access control mechanisms. Finnegan says her expert system fills a need by “providing manufacturers with a standardised, repeatable, traceable, auditable approach to implementing cybersecurity requirements across their product portfolios”.
FDA document
In 2015, Finnegan set up spinout company Novah Leah to take her system to market and the company will begin employing staff this year. The development of SelectEvidence has been supported by
Science Foundation Ireland
, while
Enterprise Ireland
provided a commercialisation grant of €300,000. The company is now seeking investment to ramp up its development.
“The FDA published a cybersecurity guidance document in October 2014 that outlined requirements for medical device manufacturers to demonstrate the security assurance of a device prior to putting it on the market. Until this, manufacturers were concerned only with demonstrating that a device was safe and effective,” Finnegan says. “Within the last week, however, the FDA has taken things a step further. They now want manufacturers to take responsibility for a device’s security for the duration of its operational life. Our system will help them achieve this.”
MRI and CT scanners
SelectEvidence is aimed at those developing interoperable, interconnected, networked and wireless medical devices.
The US market, which Finnegan says has an estimated size of $133 billion (€123 billion), offers big opportunities for the company. “We are specifically targeting two of the largest medical device segments initially – imaging devices such as MRI and CT scanners (worth $37.5 billion) and electro-mechanical devices such as pacemakers and patient monitoring systems,” she says. “We will install our system on manufacturers’ own servers on either a standalone or an integrated basis and will operate a scalable licence fee revenue model.
“Because of my experience within the international standards community, I already have strong connections and will leverage them as an initial route to market,” she adds. “SelectEvidence has no direct competitors. There are many process risk-management tools available, but they purely manage the steps in conducting risk-management activities and are not supported by extensive live repositories of validated information.”