Providing cybersecurity for healthcare
Recommended Book:
The Secret History of Cyber War
Best Way to Contact Mike:
Company Website:
https://outcomesrocket.health/podcast
Welcome to the Outcmes Rocket podcast where we inspire collaborative thinking improved outcomes and business success with today’s most successful and inspiring healthcare leaders and influencers. And now your host Saul Marquez
: And welcome back to the podcast Saul Marquez here. Today have the outstanding Mike Kijewski. He’s the CEO at MedCrypt. A San Diego based company that allows medical device vendors to secure their devices from cyber security threats, patch vulnerabilities, and monitor device behavior with a few lines of code. Mike is passionate about new advances in the intersection of Internet, technology, and health care. Is a hot topic that a lot of us need to be concerned with a lot of things are changing the FDA requiring a lot of different things. Got the unique device identifier. I mean there’s a lot of stuff going on here and Mike’s at the center of it. Prior to starting MedCrypt, he was the Founder of Gamma Basics which was a radiation oncology focused software startup. He sold this company well that was acquired by various medical systems in 2013. Mike’s got an MBA from Wharton School of Business and a Masters in Medical Physics from the University of Pennsylvania. He knows what he’s doing. He’s got a great team behind them and a lot of interest is sparking in his work with some good seed rounds of capital being raised there so it’s my pleasure to welcome Mike from MedCrypt to the podcast. Mike welcome.
: Thanks Saul. Thanks for having me. And that is a very generous intro there. Thank you.
: And it’s my pleasure man you’re doing a lot of good things and I’m excited to dive into this topic of cyber security and med devices. But before we tap into this conversation, I’d love to know what got you into the healthcare space to begin with?
: Yes when I was in high school my mom was actually a med student while I was in high school. She started medical school later in her life. And my dad was a vice president at a health care a tea company that was called Shared Medical Assistance which became CEO of Siemens Healthcare. I remember as a teenager anything I have no idea of what I did my parents do. But I don’t want anything to do with. I want to do my own thing with Bob. What if they get so excited. Once the culture is next thought I was going to be a high school physics teacher for a 35-year career taught high school physics for a couple of years after undergrad and really loved being in the classroom with students. I genuinely felt like I was having a positive impact on the lives of some number of people on a daily basis. But I had two main issues with my situation as a teacher the first being the obvious financial ones you know when you’re starting to think about owning a house and having a family and wanting to have my wife be able to stay home for a little bit if we had kids it’s hard to do on a teacher’s salary are harder to do than it would be on other salaries.
: For sure.
I was teaching the same thing three years in a row and starting to get a little bored of material and was looking for something a little more intellectually rigorous in the day to day basis and thought of going to med school. Realize it wasn’t a good fit for me. I wanted to do something sort of entrepreneurial and really at the end of the day wanted to know that the end product of of my work was helping people in some way. And if you think about not to pick on the financial services industry because they do important work as well. But buying and selling stocks. Maybe it’s a less direct positive impact on people’s well-being than health care. So I found this field called medical physics which is the the technical underpinnings of Radiation Oncology and diagnostic imaging and thought that it was sort of a perfect combination of my interest in physics. My interest in wanting to help patients directly or indirectly through healthcare and it was also very forward thinking, a technology-driven treatment modality you know basically everything going in radiation oncology and imaging today involves a computer and software code and it started to be a great environment to get involved in and started that process 11 years ago to this point really couldn’t be more happy if you really really love thinking about healthcare.
: That’s awesome man. Well you’ve done a great job thus far and now you’re paving the way into a new era of of helping people. And so what do you think Mike as a hot topic that the listeners need to be thinking about today? And how is your organization approaching it/
: Yes so we are involved in the cyber security aspects of healthcare specifically focused on the patient safety implications of cyber security. So in 2014 I was working for a big medical device vendor and was hearing a couple of different healthcare delivery organizations expressed concerns about patients being physically harmed if the cyber security vulnerability and a connected medical device were exploited. And at the time I hadn’t spent much time thinking about the physical harm coming from cybers ecurity vulnerabilities of course. You know I heard about Hibiya and heard about patient data privacy issues but the notion that you could make it a medical device to something that was not supposed to do and physically hurt somebody was scary but also interesting to me. And while there were definitely pockets of people working on this problem as early as the late 90’s, early 2000’s. It wasn’t until a couple years after we started really 2015, 2016, that the regulatory agencies and the media large started thinking about the problem. So we’re really focused on ensuring that the companies and teams building healthcare technologies that rely on software hardware are building products that will not malfunction if the bad guys hacks a vulnerability in one of these devices and you know the flip side of that is ensuring that medical device vendors can build devices that are effective and profitable for them and don’t become liabilities long term to the cyber security issues.
: Now this is great information Mike. And you know as manufacturers of devices it’s important that that we consider all of the things that are available to make these devices secure. And then as as providers and as you start thinking about what requirements you have for your vendors selling these these technologies, making sure that your patients are safe. All these things matter. And so Mike is definitely tackling this issue head on with his firm. So I’d love to dive a little bit deeper, learn a little bit more about how you and your organization Mike are creating results by doing things differently as in this arena.
: Yeah absolutely. So a lot of good stuff to unpack there so the first meeting is an anecdote from somebody that I had worked on for a couple of years ago and how that’s inspired are doing today. In 2011 I was running a software startup called Gamma Basics, while I was a graduate student at the University of Pennsylvania and we were making an income of different products for radiation policy you know crinkles or flow situations and we had the idea for a product of wanted to believe that we were a cash strapped sort of resource in a resource constrained organization you can hire an engineer to build stuff. And as a physics graduate student I had done some programming is not allowed to process data and so look at Thaicom images and stuff like that but it wasn’t it wasn’t a software engineer. And I started to look into a couple of different software development frameworks that make it really easy comparatively easy for somebody to build a web application. Then in 2010 I guess this was a framework a Web application framework a ruby on rails and I know a little bit of each you know how to make a website that it never built you know back and application. And as I started to dig into some of my tutorials learning how Ruby on Rails work it amazed me that people had taken processes that previously were very complex and wrapped them up into a very easy to use piece of software that other developers can leverage and not have to reinvent the wheel. I think a good example of this is the notion of a database records actually relatively complex idea that in the late 70’s early 80’s and probably a huge deal to get a database. But then companies like Oracle and Microsoft came out with its consumer facing databases like Microsoft sequel server which is much easier to set up the figure that you still need to write a lot of code to really interface with that with that database you need to understand it or sequel query and all of this other complicated stuff. And then there are other layers of software that come out that say okay well instead of worrying about counterfeit data is directly going to do it easy set of commands where you could type something like patient dot last name and hit enter and we’ll figure out how to read the screen for you on the backend and those sorts of abstractions allowed. Me a physicist but not a software engineer to build a product that ended up being launched commercially and acquired by a big medical device firm has other developers have had you know taken on some of the heavy lifting and abstracted to really some boxes. So the things that we’re doing and that create is looking at the problem of today medical device cyber security and saying what sorts of security features really should be in devices. And if you ask security experts you’ll get a relatively standard set of answers and it will be some very instance of disagreement about but the educators with the most are people would say you should have strong usernames and passwords you should have. You should use encryption in various forms deputy encryption keys and all these devices and setting up all of those technologies. Well it’s not rocket science is time intensive for engineers building these products. So we say hey if we can take those sorts of technologies you know encrypting data, assigning encryption keys, figure out signing things and verifying that the deed has been depleted and make it easily accessible via an API. We can allow engineers in a medical device firm to spend more time focusing on clinical features rather than implementing the sort of DeMentri security framework.
: I think that’s super super fascinating and and I think it’s it’s a great value add Mike because you’re right the device company goes through their specialty which has clinical which is engineering and these API. I mean if you’re applying a turnkey solution this is great. This is so much off of the Pinney’s books so much off of you know an expertise that maybe isn’t baked into that company.
: Yeah and this is a struggle that we that we went through when we were first receive funding for this company. We would have investors say well know engineers that you know who are your favorite big medical device company is engineers that companies that are really smart engineers. They could be right if they do this on their own and they wanted to. And our answer is yeah but why should they focus really why should they spend any time that they don’t need to setting up the security stuff when there are real competitive advantages. No and you know the most in the world about insulin delivery or imaging or cardiac rhythm management or whatever. Nic lots of good examples in other areas of technology companies be successful by allowing their companies to focus on their core competency. So for example my favorite analogy here is that this company stripe that does payment processing API and if you’re if you’re building a website and you’re selling t shirts with something you’ve got to T-shirt designs you need to get the website to sell the T-shirt. And part of selling the shirts is you need to accept payments. So ten years ago the engineers in how to build the credit card processing stuff on their own and they’d have to set up a merchant account with some you know credit card processing company and straight along said you know here’s an API to open these seven lines of code in their website. The worry about this I’m better t-shirts and they’re now practicing something like 5 billion dollars of payments a month or something not because credit card processing was rocket science or no we hadn’t figured it out. They just made it so much easier to implement. Then why would you do anything else. So that really is our approach to a subset of the security issues and medical devices if we can make it so easy for engineers to implement cryptography directly to these devices. Why would they want to do this.
: That’s a great analogy Mike totally love the way you laid that out for us. And so you’ve worked through a couple iterations. Share with us a time when you had a setback in the development of this company or maybe the previous one that taught you some big lessons.
: Yes. So it’s hard to think of one not because there are so few. But really you know we’re running early stage companies. Nothing ever goes perfectly so there are plenty of opportunities where. So a couple of come to mind for the first is when we’re starting Gamma Basics and we were selling Ratio and possibly workflow software into hospitals. We were really literally four guys in the basement with some really good software but nobody had ever heard of our company before and I remember having these long protracted halls with businesses and hospitals and they’d ask us questions like yeah you’ve done X but why don’t you also do y or issues other than the year before and I can probably do this better internally. And it was a very sort of uphill slog to get some of these customers on board. And then we ended up selling the company to Varian and Varian is a leader in radiation oncology if only by market share. Right there their market shares. It’s quite a process. The company very forward thinking and they tend to have customers that I really love their product. So you talk to a physicist at a hospital that he uses the various machine and they probably love that Varian machine. So we went through that integration process at Varian. Then we started selling that same product as Varian. And I had physicists coming up to me at Pomper just saying oh my god this software is amazing. We need this tomorrow we not our help set up. And I said you’re never going to believe this but we have an hour long phone call several months ago when I was with another company. And you told me a hundred different reasons why this wasn’t going to work. And now you want to use your star variant for habesha just goes to show that when you’re doing something innovative and you’re a smaller company the brand recognition and the trust that you build with consumers is so important because if you get to the point where your customers trust you and you don’t profit so they love it has become so much easier to sell things later. Later down the road and as a smaller company when you hear that the fifty reasons why the thing you’re building aren’t going to work. They’re not necessarily accurate right. You know if you told people ten years ago we had electronic minute medical records are going to be used everywhere. And by the way they’re going to be hosted on the scarce servers of an online bookstore. You would say that’s insane. No one’s ever going to store medical data not online bookstores spare servers. Here we are 10 years later and lots and lots of healthcare and technology companies are hosting applications on Amazon Web Services because it is so easy to do why would you run your own data center. So yes I know that the haters aren’t always right.
: That’s such a great great message Mike and cool that you are able to live through it and sort of stay on and see that that impact right because now you can definitely take this message listeners take it to heart, learn from it. What about what are your proudest medical leadership business moments that you had today?
: It’s really fulfilling to have been in an industry long enough where you can make certain conjectures about the way things should be and the way they will be and help make decisions based upon that view of the future and then be around long enough to see those those sorts of things come to fruition. So you know I remember it’s a it’s a relatively obscure example the working in the radiation Hall space and looking at certain things that should be automated and having discussions with people about the pros and cons of automating certain processes. You know the software and you know what if the software goes wrong if this thing happens to the patients higher and of course that would be awful. But we can we can build our code in such a way that will minimize the chance of that happening and by the way if this process is not automated what are the odds of a student making a mistake in having some bad outcome. And certainly you know fighting through some of those disagreements and trying to come up with data that supports that and then you know five or six years later starting to see industries adopt those sorts of automated processes because the data is in and supports that yes. These things has a net positive impact to patient outcomes. So having you know been in the space for a little over ten years is either a really long time or not that long depending on your perspective. But it’s great to just start to see some of these hypotheses that I made earlier in my career start to be pretty true.
: That’s pretty cool. It’s kind of like affirmation that hey you know what I wasn’t too far off on what I was thinking and now what I’m thinking. Let’s move with more bravado because likely it will happen.
: Exactly. If you make you make 10 predictions and you’re looking to those predictions and the first of four out of five of them have been right or you can be you know incrementally more counted in each and each additional prediction going forward that’s that. It’s also not an easy to get at it a little cocky there in a CNM necessarily the least in the world is the way that everybody everybody else sees the world are really like this notion of trying to have a beginner’s mindset and really asking critical questions about things from first principles that make sure that you’re not being influenced by the naysayers but also you’re not Asperger’s you know you’re into our food and just believing it because because you think the way the world works.
: Yeah such a great message. And definitely a key area of the market that you’re working on. Mike tell us about an exciting project that you’re working on?
: Yes we’ve got we’ve got one company of we’re working with that has very complicated medical devices that’s used and that just coincidentally happens to be in radiation oncology space. My current company MedCrypt are focused on the health care industry at large to everything from insulin delivery to imaging the surgical robotics and everything in between. We have a good relationship with this. This is one startup called reflection epical that’s building a PET imaging based radiation delivery system and some of the clinical ramifications of that could be quite impactful once they actually hit the market. I think they’re not too far away from getting their piping and having their first burst in in person treatments. But one of the most satisfying things about that particular engagement for us is it’s a very complex treatment system.Their treatment system because both imaging and treatment delivery sort of at the same time. And they have a very small window of time in which they need to process data, make decisions about that data, and then and then design the patient treatment in less than a second. In fact submitted in the U.S. in a second. So it’s a very sort of a critical in this case with very large computers going very quickly and it’s the kind of use case where we were told early in the MedCrypt’s life that you know these sorts of systems that reside at a hospital and are big and powerful that they’re behind a hospital firewall they require the sort of real time reallocation between the various endpoints surely not a good use case for encryption because encryption takes some sort of time. So you’re going to be necessarily you know decreasing the overall performance of the device. And by the way security is not really that important because this thing’s behind the hospital firewall and we all know the bad guys can’t get behind that. The hospital’s firewall. So to have some big companies tell us that years ago and then move ahead with a company like reflexion which has a you know a really it’s sort of a cliched expression but a next generation version of this stream treatment reality and see that number one you can put in place the security features and still have that device function the way it’s supposed to clinically and number two see that having these sorts of security features isn’t evidence of it’s about that you add for the user for a variety of reasons but not the least of which is you’re are building a device that is secure by design and not creating another thorn in the side of the hospital CIO that now needs to lock this thing down to the firewall management and all of that. So it’s been a really interesting project working with them and seeing a really revolutionary device take security seriously from the start and show that you can have a device that you know that has any security features in place but also is doing really amazing things technologically.
: Mike that’s cool and you know the thought here is you always got to be questioning your assumptions especially with the way technology is moving just because once you felt like hey you know encrypting something or was slow me down or slow down the way that this device is innovative doesn’t mean that’s going to be the way moving forward because all these technologies are advancing and this great example is goes back to the basics and says hey you’ve got to question your assumptions and dig before just assuming.
: That’s exactly right. And it’s hard to look forward in time and see that no computing power will increase and the ability to do the sort of cryptography will you know will get easier comparatively. It’s much easier to look back at that time and look at some things that people could have said that would have seemed rational at the time but now in retrospect that’s right. So if you look at credit card processing I’m very interested in any crypto currencies and watching and Bitcoin actually not but that is because I’m a little skeptical about the whole market and the whole approach to things that I heard a lot of people say the bitcoin of block chains is not a tenable premium system because the visa credit card processing network transact some ridiculous number of transactions per minute. I don’t know the exact numbers but you know you’re talking of millions tens of millions hundreds of millions the actual date actually. And if you were to look back in time and say you know we’ve got all these transactions so many of them are happening per second and we really don’t have the capacity to also correct all of those credit card transactions. Well in retrospect that looks ridiculous right of credit card transactions are happening in an uninterrupted fashion that the amount of fraud in the system would be rampant and it would be incredibly expensive. So it’s just looking back of course you need that sort of cryptography and you know process wouldn’t be tenable otherwise. I do wonder if at some point in the future we’ll look back in healthcare and say you know I can’t believe that we had healthcare information systems on a hospital network communicating with the neonatal severances and not using any encryption because we thought that it was too computationally intensive or you couldn’t get the colors aligned or something. It’s just you know looking back in time it’s easy to see how some of those sorts of objections would be, what would be ridiculed.
: Yeah some great thoughts here Mike and and definitely something for all of us to think about whether you be a CIO at a hospital or an entrepreneur managing your own company in this space really have to be thinking about security and thinking ahead of the game. So Mike getting close to the end here let’s pretend we’re building a medical leadership course on what it takes to be successful in cyber security of devices. The one on one of Mike Kijewski so I’ve got a syllabus that we’re going to construct for the listener’s lightning round style followed by a book you recommend to the listeners. You read?
: Sure. On it.
: Love it.
: So.
: So I’ve got four questions for you right. These are going to be lightning round style. So what’s the best way to improve health care cyber security by design?
: Two words by design. There’s a there’s a lot of focus being put on devices out there in the field. I think it is securing devices when they’re developed is really a much better way to approach from.
: What’s the biggest mistake or a pitfall to avoid?
: The only two patch when medical devices have vulnerabilities and companies put patches out there are a million reasons people give for not amplifying them but that’s the number one mistake you can make.
: How do you stay relevant despite constant change?
: Having a beginner’s mindset constantly asking questions and being aware of what is on the horizon.
: What’s one area of focus that drives your organization?
: Patient safety.
: What book would you recommend to the listeners?
: I believe it is called The Dark History of Cyber War. Maybe the Secret History of Cyber War a fascinating conversation about the U.S. federal government and the federal governments how they’ve actually been having cyber warfare along with physical warfare for the last 30 years and what it looks like in the future.
: Fascinating. Folks there you have it, the outlined the syllabus with Mike Kijewski you could find that and outcomesrocket.health/medcrypt along with a full transcript of our conversation today. Mike this has been a blast. I’d love if you could just share a closing thought but the listeners and then the best place they could get in touch with or follow you.
: Yes I really love it. The conversation’s well thanks for having me. The final closing thought a lot of people say will medical devices ever be hacked? Is this really a legitimate concern? Shouldn’t we to focus on bigger issues? Do not underestimate the probability of patients being physically harmed by cyber security vulnerabilities and medical devices being exploited for various reasons. Some of them being financial or others others not being financial. You should check out medcrypt.co we’re active on Twitter, LinkedIn sharing lots of relevant industry information that will be useful for both medical device vendors and medical device users.
: Outstanding Mike hey we really appreciate your time. This has been a blast. Looking forward to staying in touch.
: Likewise. Thanks for having me.
Thanks for listening to the Outcomes Rocket podcast. Be sure to visit us on the web at www.outcomesrocke.com for the show notes, resources, inspiration, and so much more.
