MedCrypt Funds Medical Device Usable Security Research at the School of Engineering at Tufts University
Industry: Healthcare
Led by Professor Daniel Votipka, the research will drive efforts to investigate the challenges of effective threat modeling for medical devices and aim to make cybersecurity evidence more reproducible
San Diego, CA (PRUnderground) April 25th, 2023
MedCrypt, Inc., the proactive cybersecurity solutions provider for medical device manufacturers, today announced its financing of the School of Engineering for a Tufts University fellowship program that will support research focusing on the investigation of medical device security and threat modeling.
More than half (53%) of connected medical and other IoT devices in hospitals have a known critical vulnerability. Despite the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) recognizing the significance of threat modeling as a process resulting in more secure device and producing the supporting evidence, a study by Ponemon Institute revealed that about 49% of device makers do not follow guidance, specifically from the FDA, to mitigate or reduce inherent security risks. To address this issue, the work that will be done by Ronald (Ron) Thompson and Daniel Votipka aims to conduct research in the Tufts Security and Privacy Lab at the School of Engineering on the effectiveness and practicality of threat modeling and other security measures that organizations can use as a reference to help establish more efficient and repeatable security processes for medical devices.
Ron Thompson, who will be the first fellow in the program, is currently a PhD student of over two years in the Tufts Security & Privacy Lab studying computer science, specifically usable security, and medical devices, and a consultant to MedCrypt on threat modeling and threat modeling training. His overarching goal is to develop technology and data-driven processes and tools that protect healthcare systems and allow clinicians, researchers, and other healthcare workers to focus on delivering care to patients. Ron has nearly a decade of experience working as a data engineer, analyst, and consultant, helping organizations unlock the value of data and technology. Previously, Ron was a MedTech investment analyst when he first encountered cybersecurity issues involving medical devices. The common theme in his career has been helping people leverage technology’s power, from ensuring medical devices are secure by design to providing data-driven evidence for decision-making.
Daniel Votipka is an assistant professor of two years in the Computer Science Department in the School of Engineering at Tufts University and the director of the Tufts Security and Privacy Lab and has almost a decade of cybersecurity research experience. His research focuses on computer security, with an emphasis on the human factors affecting security professionals. Daniel focuses on understanding the processes and mental models of professionals who are required to perform security tasks daily such as secure development, vulnerability discovery, network defense, and operational security to provide research-based recommendations for education, policy, and automation changes to best leverage human intelligence against challenging computer security problems.
“We are excited that MedCrypt has chosen to support our research investigating the challenges of effective threat modeling for medical devices,” said Professor Votipka. “This research will identify common gaps in device threat models and support the development of new guidance and tools to help developers ensure their devices are secure. Threat modeling is an essential component of the secure development process and this work will get us closer to the goal of reliable, repeatable, and effective threat modeling. Without MedCrypt’s support, this work would not be possible.”
MedCrypt acknowledges the vital role that evidence-based security practices play in the MedTech industry and recognizes the need to address the existing gaps. Additionally, the organization encourages research initiatives that drive the industry forward. By taking a hypothesis-driven approach, the findings from this research fellowship could inform sustainable, scalable advances in medical device security processes. This is not only beneficial but also necessary, as the FDA relies on threat modeling to generate evidence that medical devices have been built with security in mind. Threat modeling artifacts are used to conduct safety risk assessments, which then inform vulnerability surveillance for products in the field.
“Cybersecurity practices, such as threat modeling, play a crucial role in designing secure medical devices proactively. Given that the effectiveness of such processes determines the safety of these devices, they should be as reliable and practical as other scientific methods,” said Shannon Lantzy, Vice President of Consulting at MedCrypt. “The FDA requires substantial evidence of cyber security, and the industry must generate that evidence at scale. Threat modeling is a process that needs to scale, which can only be achieved through data standards. We believe this research will have a strong role to play.”
MedCrypt currently provides enhanced security products and services for seven of the top 10 medical device manufacturers as well as startups and mid-sized companies, including the leading manufacturers of surgical robotics technologies and virtual reality applications for minimally invasive surgery. For more information about MedCrypt and its suite of security solutions, please visit medcrypt.com.
About MedCrypt
Medcrypt is helping healthcare technology companies ensure medical devices are secure by design. We provide cybersecurity products and strategic management consulting to expedite the go-to-market process of medical device manufacturers’ new life-saving connected technologies.
Founded in 2016 by a team of healthcare cybersecurity experts, Medcrypt is uniquely positioned to be the security catalyst for medical device manufacturers to design secure, FDA-approved technologies. We continue to work with those paving the way toward safe and reliable medtech. To date, Medcrypt has raised more than $36 million in funding with participation from Johnson & Johnson Innovations, Intuitive Ventures, and Dexcom Ventures. For more information, please visit www.Medcrypt.com.