Medcrypt: Providing Data Security To Medical Device OEMs In Over A $30 Billion Market

By Amit Chowdhry • Sep 1, 2023

Medcrypt is a proactive cybersecurity solution provider for medical device manufacturers. Pulse 2.0 interviewed Medcrypt co-founder and chief technology officer (CTO) Eric Pancoast to learn more.

Eric Pancoast’s Background

Pancoast is part of a team that is revolutionizing medical device cybersecurity.

“Our primary goal is to ensure the safety and security of medical devices, allowing healthcare providers to deliver top-notch care while safeguarding patient privacy and ensuring safety. It’s a rewarding journey to merge my expertise and passion for cybersecurity to drive innovation and protect the future of healthcare technology.”

“To lay the foundation for my career, I earned an Associate’s degree in Computer Science from Bucks County Community College and then a Bachelor of Science degree in Computer Science from Drexel University. These educational programs, along with early software engineering positions at the University of Pennsylvania and various startups, provided me with a solid understanding of software development and computer systems, enabling me to tackle complex engineering problems with confidence and expertise.”

“My journey in the world of tech products began with the co-founding of Gamma Basics, a remarkable software startup specializing in radiation oncology. Our hard work and dedication paid off when Varian Medical Systems recognized our potential and acquired our company in 2013. It was an exhilarating experience to see our software products integrated into such a prominent organization.”

“Before my entrepreneurial venture with Gamma Basics, I had the privilege of serving as the Lead Software Architect and co-founder at Mimeya Technology. During my time there, I focused on developing Cloud-based Big Data SaaS applications and worked with cutting-edge technologies to solve some novel software engineering problems.”

“Throughout my career, I’ve cultivated a deep passion for cybersecurity engineering. I’ve had the opportunity to delve into various aspects of this field, equipping me with a diverse set of skills to combat the ever-evolving threats in today’s digital landscape. I firmly believe that cybersecurity is paramount, especially in sectors as vital as healthcare, where patient privacy, safety, and data security are of utmost importance.”

Formation Of Medcrypt

How did the idea for Medcrypt come together?

“After the sale of Gamma Basics to Varian, Mike, our CEO, began engaging more extensively in medical device software and delving into product implementation challenges. While he was there, the notion of compromised clinical care delivery due to security concerns arose, and he shared it with me. What initially started as a casual conversation between former founders evolved into our passionate pursuit of improving cybersecurity in medical devices. A collaboration emerged with a cybersecurity professor to devise strategies to ease the implementation of cryptography for medical device engineers. Soon after that, we developed a clear understanding of the requirements for safeguarding a device throughout its lifespan.”

“As the CTO, my focus lies heavily on devising future-proof solutions and mitigating tech debt, a challenge faced by almost every startup. Although security measures may appear to be precautionary measures for improbable situations, in our actual experience, it has proven beneficial to anticipate use cases beyond the present landscape.”

“A fundamental aspect of my role involves bringing our solutions to production and continuously refining them based on insights gained from implementations. It is crucial that our solutions do not stagnate but instead adapt to evolving design, customer needs, and regulatory requirements.”

“Additionally, our team has grown from a small group of three individuals in a single room to a fully remote workforce exceeding 50 members. This expansion necessitates the implementation of robust internal security practices that require constant attention and improvement. Responsible growth is a big deal to us, which is why I invest significant time in establishing processes and practices that align with our business objectives.”

Favorite Memory

What has been your favorite memory working for Medcrypt so far?

“My favorite memory at Medcrypt stems from a very early integration with a customer named RefleXion Medical. Having the privilege of traveling out to our customer’s sites and working with some of the most talented engineers in the industry in order to integrate our security software into their devices was incredible. Seeing their awesome, life-saving machines firsthand and running through the test procedures together to verify everything was integrated properly was amazing. My favorite part of our work here at Medcrypt is forging long-lasting relationships with our customers and their engineers and helping them make cybersecurity a much less painful problem to solve.”

Challenges Faced

What are some of the challenges Pancoast faced in building the company, and has the current macroeconomic climate affected the company?

“When we started the company, it seemed like we were late to the party, device manufacturers that had been building devices for decades and said they didn’t need help. However, with persistence and continued technical diligence, we were able to demonstrate how we were filling specific gaps that existing strategies had failed to address. It was difficult to overcome the slow traction when it came to fundraising; however, between recent customer traction and maturing regulatory awareness, we’re facing new challenges around meeting the demand that we hadn’t experienced before.”

“COVID certainly delayed deployment given more device manufacturers were struggling with supply chain concerns and workforce challenges. That being said, the ability to deploy care remotely became all the more relevant with pandemic restrictions, thus requiring increasingly mature software and connectivity deployments.”

“Because of various factors, our workforce operates entirely remotely, presenting certain challenges in enforcing optimal procedures and fostering efficient collaboration. This situation has compelled us to employ innovative approaches in establishing strong ties with our brand’s values and the principles we embraced seven years ago.”

Core Products

What are Medcrypt’s core products and features?

“Medcrypt’s product offerings make it easier for device vendors to secure their own products and maintain that security for the lifetime of their devices. From managing SBOMS and tracking vulnerabilities to implementing cryptography correctly for the protection of device data and communications, to monitoring device behavior to detect suspicious behavior, our solutions cover the aspects of device cybersecurity that are the hardest to get right and maintain without specialized knowledge and resources.”

“Our Services team helps device manufacturers understand what appropriate cybersecurity means for their particular device and its ecosystem and provides our customers with the help they need to integrate our products and properly comply with the FDA.”

Products:

  • Helm allows device vendors to manage their SBOMs (software bill of materials), and track the associated vulnerabilities, for the many versions of device software they have active in the field. Helm excels at both pre-market and post-market SBOM and vulnerability management, setting it apart from standard SCA tools and making it especially well-suited to solve the unique use cases surrounding our customers’ medical devices.
  • Guardian makes it easy to integrate cryptography directly into device software to establish trust and secure a device’s data and communications. Typical cryptography tools and services only solve a small part of the cybersecurity problem when it comes to device key and certificate provisioning, reliable cryptography configuration, crypto agility, and handling use-cases specific to medical device use-cases, like certificate expiration. Guardian is especially well-suited to make it easy for medical device engineers to build comprehensive cryptography-enabled trust and data security into their devices.
  • Ghost, similar to a VPN (virtual private network), uses an agent-based approach to secure data in transit without having to change the existing software on the device. In some cases, our customers are unable to change their existing software application but need to secure the data it’s transmitting. Ghost enables device vendors with no other options to take a stand-off approach to data security that would otherwise leave data communications vulnerable to attack.
  • Overwatch is our device PWS (provisioning workflow system) and is critical to building up the foundation of trust that allows our Guardian products to use cryptography effectively.
  • Canary allows our customers to determine when their devices are under attack. The FDA requires medical devices to have “features that alert users in the event of a breach”. Canary monitors the devices’ behavior in the field in order to detect security events, alerting device vendors (not the end-user) to abnormal behavior.

Services:

  • Threat Modeling
  • FDA Submission Compliance
  • Medcrypt Product Integration

Medcrypt’s security software enables device vendors to use cryptography to secure data traveling between or stored on devices. Medcrypt then provides remote, real-time monitoring to alert medical device vendors of suspicious behavior that may yield potential security threats to their company, devices and patients.

1.) Solutions

a.) SBOM & Vulnerability Management

i.) Allows companies to find software vulnerabilities as soon as they are discovered. Helm queries public vulnerability databases such as the National Vulnerability Database (NVD) hourly, looking for vulnerabilities related to software dependencies used in your SBOMs. Use Helm to track which vulnerabilities affect your SBOM, centralize how you plan on mitigating/fixing, and share whether it has been fixed.

b.) Monitor Devices in the Field

i.) Canary allows companies to know when devices are under attack. The FDA requires medical devices to have “features that alert users in the event of a breach”. Canary allows you to monitor your devices’ behavior in the field and detect security events, alerting you (not your customer) to abnormal behavior.

c.) Cryptography Agent

i.) Medcrypt Ghost uses modern cryptography to secure data in transit without having to change any source code on your device.

d.) Cryptography API

i.) Guardian makes it easy to build cryptography into your device, validating integrity and keeping data private.

2.) Consulting

a.) Threat Modeling Course

b.) FDA Submission Compliance

Evolution Of Medcrypt’s Technology

How has Medcrypt’s technology evolved since launching?

“Products: We started out thinking a single solution/platform that tied cryptography, vulnerability management, and behavior monitoring was the ideal approach. With time and a deeper understanding of market readiness, we learned that we would have better success in separating out each of these facets into separate products. The comprehensive platform that ties all of these products together is still part of our design and we hope the marketplace will be ready for that in the near future.”

“Services: The amount of education we were doing, in particular around cryptography, prompted the creation of a services function within Medcrypt that would work to systemize this education for easier consumption by our customers.”

“Internal: We went from being a few folks in a room together that were in sync all the time, to now being a geographically dispersed group that works asynchronously. We’ve had to build technology and ways of working that are conducive to this change in the workforce.”

Significant Milestones

What have been some of Medcrypt’s most significant milestones?

Naomi Schwartz joined our team in August 2022 as the Senior Director of Cybersecurity Quality and Safety, marking an exciting addition to our organization. Before joining Medcrypt, Naomi held the esteemed position of a premarket reviewer and consumer safety officer at the U.S. Food and Drug Administration (FDA) within the Office of In Vitro Diagnostics and Radiological Health (OIR). Naomi brings with her over 20 years of invaluable experience in systems engineering. Her primary responsibility at Medcrypt is to spearhead the analysis of cybersecurity designs for medical devices and assist medical device manufacturers (MDMs) in optimizing their cybersecurity framework to align with the FDA’s guidelines.”

“At Medcrypt we support six leading diabetes device manufacturers to improve and ensure the cyber safety of consumer-facing diabetes devices which approximately 37.3 million Americans live with diabetes.”

“November of 2022 marked our most recent funding announcement with an extension bringing the company’s funding to $36.4 million.”

“More recently, we, Medcrypt, were selected to participate in Microsoft Pegasus Program, a global program dedicated to accelerating the trajectory of startups through access to a network of technology, mentorship, and business support.”

Funding

In January, the company announced additional funding from Dexcom Ventures, the corporate venture capital arm of Dexcom. And Pancoast shared:

“This extension follows Medcrypt’s Series B funding round in November 2022 with investments from Intuitive Ventures and Johnson & Johnson Innovation – JJDC, Inc. (JJDC), among others, bringing the company’s funding to date to $36.4 million.”

Total Addressable Market

What total addressable market (TAM) size is Medcrypt pursuing? Pancoast estimated $33 billion to $42 billion.

Differentiation From The Competition

What differentiates Medcrypt from its competition?

“Medcrypt has a special advantage because there aren’t many other companies doing exactly what we do. While some companies focus on helping hospitals, Medcrypt goes upstream to Medical Device Manufacturers (MDMs). This means we make special cybersecurity solutions just for MDMs, who have different needs and problems. By focusing on MDMs, Medcrypt has become a leader in proactively securing medical devices.”

Omnibus / FDA Guidelines

What impact do bills like Omnibus and guidelines from the FDA have on medical device makers in terms of the attention they give to the cybersecurity of their products? Pancoast replied:

“Bills like Omnibus and guidelines from the FDA have a significant impact on medical device makers in terms of the attention they give to the cybersecurity of their products. These regulatory measures create a sense of urgency and importance surrounding cybersecurity, prompting medical device manufacturers to prioritize it in their product development and management processes. By setting clear standards and requirements, these bills and guidelines establish a framework that guides medical device makers toward incorporating robust cybersecurity measures. Manufacturers understand that compliance with these regulations is not only necessary to meet legal obligations but also crucial for ensuring the safety and integrity of their products. The introduction of government-imposed deadlines, as mentioned, plays a crucial role in accelerating the efforts of medical device makers. The deadlines act as a final push, motivating manufacturers to devote resources, time, and attention to addressing cybersecurity concerns and achieving compliance. It becomes a collective industry effort to meet the set deadlines and enhance the overall security posture of medical devices.”

“Also, bills and guidelines serve as educational tools, raising awareness among medical device manufacturers about the evolving cybersecurity landscape and best practices. By providing clear guidelines and expectations, these regulations enable manufacturers to navigate the complexities of cybersecurity more effectively and make informed decisions regarding their product security.”

Medical Device Manufacturer Priorities

What should medical device manufacturers be prioritizing right now? How about when it comes to patient safety and upcoming FDA omnibus regulations and guidelines?

“Don’t let perfection get in the way of progress, it can seem like you should wait for the ‘next major release’ or the ‘next generation of a device’ to design security into your device, but that isn’t the case. It’s important to prioritize best security practices sooner rather than waiting for the ideal moment because, as we all know, unfortunately, competing priorities make it challenging in the best of circumstances.”

“Don’t go at it alone. This is a hard problem in a hard industry. The wide range of stakeholders involved, including regulators, hospitals, and patients, demands a customized solution. However, that doesn’t imply you must develop it from scratch. Instead, utilize existing tools to enhance the long-term security of your device and increase the likelihood of maintaining a strong security posture throughout its lifespan.”

Future Company Goals

What are some of Medcrypt’s future company goals?

“Medcrypt recognizes the increasing need for cybersecurity in medical devices, and we are working to expand our engineering team to meet the increasing demand. Importantly, we are committed to remaining aligned with the requirements set by regulatory bodies such as the FDA (Food and Drug Administration). Medcrypt is dedicated to complying with the cybersecurity provisions outlined in the latest Appropriations Act, which further emphasizes the significance of safeguarding medical devices against potential threats and vulnerabilities.”