RefleXion Medical, which is working on a biologically guided radiotherapy platform for cancer treatment, has tapped security provider MedCrypt to encrypt data that goes through its devices.
The partnership comes at a time where medical devices are becoming increasingly more connected, enabling remote monitoring and data sharing, but also increasing devices’ vulnerability to cybersecurity threats. In January this year, the FDA put out a final guidance detailing new postmarket cybersecurity guidelines for medical devices.
Hayward, California-based RefleXion is developing a device that transforms radiation therapy—which has long been used to treat localized cancer—into a new option for patients whose tumors have metastasized.
Traditionally, radiation therapy takes two steps: MR or CT imaging, which shows physicians where to deliver radiation, and the radiation itself. RefleXion combines positron emission tomography (PET) imaging and radiation in one device. It uses PET imaging to locate tumors, where a radioactive tracer collects. The tracer continuously emits signals, which serve as targets for radiation beams.
“With any therapeutic device, there are security concerns around an attacker modifying the treatment parameters in a way that could result in mistreatment of the patient,” said MedCrypt CEO Mike Kijewski, in the statement. “One of the ways we’re addressing this concern for RefleXion is proactively signing and encrypting data entered into its system by the clinician, then verifying that signature immediately before treatment is delivered.”
MedCrypt provides its customers with a few lines of code that secure data and instructions from manipulation, Kijewski said in an email. The company may then monitor the device in real time, keeping an eye out for suspicious behavior. MedCrypt offers two main versions of this code—one for devices that run on large servers, like CT scanners and RefleXion’s linear accelerator, and one for small, embedded devices, such as insulin pumps, he said.
While such security features fall under the FDA’s cybersecurity recommendations, they may be challenging for devicemakers to implement.
“Some of these necessary features are difficult for companies to implement and there's a huge opportunity to help them do so as well as comply with new FDA regulations,” Kijewski said.