Medigate takes a surgical approach to protecting medical devices from cyberattacks

A Savage Security Market Report

Graphic courtesy Medigate

One of the primary challenges with IoT Security is how specific the threats are. While classes of devices have common vulnerabilities and attack surface, most are completely different. It’s unlikely we’ll ever see a single product designed to protect both cars and hospitals, for example. For that reason, Medigate has chosen to focus primarily on addressing hospitals and medical device security.

This isn’t just an issue with IoT or specific verticals either. All enterprises, businesses and networks are different and, as such, each product purchased to secure them must be customized to some extent. Studies on shelfware by Osterman Research and 451 Research suggest that the time and effort necessary to implement and manage a solution are linked to the likelihood it will fail and become shelfware. By focusing specifically on medical devices and hospital networks, Medigate aims to streamline the customization process.

Company

Medigate comes out of stealth today, with an impressive $5.35m in seed funding, lead by YL Ventures with additional funding from Blumberg Capital (not to be confused with Bloomberg Beta). Medigate is based in Tel Aviv and is led by co-founders Jonathan Langer (CEO), Itay Kirshenbaum (VP R&D) and Pini Pinhasov (VP Product).

Anything over $5 million is a healthy amount for a Series A, nevermind a seed round, but there are good reasons for this. We anticipate sales cycles to be quite long in the healthcare space, which is second, perhaps only to government, in terms of procurement speed. Additionally, we anticipate Medigate will have to build and manage strategic services and MSSP divisions to assist organizations without the skillsets or staff to manage the Medigate product in-house.

The product is still early stages, but Medigate plans to use a hardware appliance-based approach and is currently looking for early access customers. As mentioned in my 2016 RSA talk, for those that can afford patience and are willing to give detailed feedback, early stage startup relationships can be a wise investment. At this early stage, customers will get discounts, sure, but the real value is in the opportunity to influence product features and design. In other words, when engaging with an early-stage startup, think of your organization as more of a partner than just a customer.

Medigate is planning for general availability in early-to-mid 2018.

Identifying the Problem

WannaCry disrupted 34% of the UK’s National Health Service, with 81 ‘trusts’ reporting disruption. In the U.K., a trust is a public-run hospital system that could consist of a single location or dozens. For example, the Central London Cummunity Healthcare NHS Trust employs 3,000+ health professionals in over 160 locations. Of these, 37 trusts had infected devices, while the remainder shut down systems as a precaution, to avoid infection. 595 General Practitioner practices were also affected.

Thousands of appointments were cancelled. Hundreds of patients were moved. Five emergency rooms were shut down. A Vanderbilt University study by Sung Choi and M. Eric Johnson found a correlation between hospital data breaches and significantly increased patient mortality rates. This study was based on data from 2011–2015, before ransomware became a significant factor. In conclusion, the study suggests the impact of ransomware is considerably more significant and that the impact of breaches and cyber-incidents on patient care takes years to fade. One of the reasons for this was the observation that security ‘improvements’ to systems have a tendency to disrupt employee workflow and therefore also have an impact on patient care quality.

This latter effect represents an opportunity for Medigate. Transparent, non-disruptive approaches to security are more valuable, since there is no negative ‘trade-off’ to impact employees or patients.

Approach

For products that intend to detect or prevent attacks, visibility is always critical. Much of the security industry was built on ‘blind’ prevention: when it failed, it failed silently. The fact that dwell time became an industry standard metric is a testament to the flaw in this approach. The average enterprise today simply does not know what’s on their network with any degree of precision or accuracy.

Appropriately, Medigate starts with visibility. As we’ve previously mentioned, it’s crazy to think that, in 2017, security tools are confusing a VOIP PBX with a LinkSys router (a real example from a recent Savage Security pentest). Hospitals are no stranger to this problem, with hundreds, if not thousands of devices on their network that most existing security products might identify simply as “Windows XP”, “Generic Linux 2.6.x” or even “LinkSys Router”.

From our piece on IoT Security startup Axonius

Medigate says they’ve done the heads-down R&D work of learning to identify a wide range of medical devices that show up on hospital networks. Comprehensive device discovery and accurate device identification are critical to succeeding in any later stage. Useful decisions about how to protect or manage devices can’t be made without knowing what they are.

Once visibility is in place and hospital IT has the context necessary to understand device relationships, Medigate can begin detecting anomalies, enforcing policies and actively securing the hospital network. A large number of these devices can be significantly secured through isolation. In one example used by Medigate founder Jonathan Langer, an incubator doesn’t need to talk to an MRI.

As the previous statement suggests, Medigate plans on offering microsegmentation as a feature. Whereas the likes of Illumio and Guardicore require an agent to do microsegmentation, this approach won’t work for Medigate, as many of these devices don’t allow additional software to be installed. In some cases, the hospital may not even directly own or manage the devices. Similarly, these are almost entirely physical, standalone devices running on an ageing network infrastructure, so virtualization-dependent approaches like Cisco’s ACI and VMware’s NSX are also not an option.

Even on older infrastructure, most hospitals at least have managed switches, and that’s what Medigate’s approach will have to depend on. Orchestrating ACLs on network switches and firewalls will be the necessary approach. While that may sound primitive, some of the most effective defensive approaches we’ve seen in our research at Savage Security, have been the most simple.

For other defensive measures, Medigate will integrate with other products. This is a common approach, as it has become common for security products to create or deploy rules in next-gen firewalls, for example. This approach makes a lot more sense rather than putting yet another security device in-line.

Ultimately, we found Medigate to be refreshingly pragmatic and practical in their approach. They understand that hospitals have the budget, but perhaps not the staff to run another security product. They understand that they’ll encounter infrastructure that is inefficient, outdated and unpatched. They understand the challenges in securing the healthcare industry, and as Savage Security’s founders learned from Saturday morning cartoons, “Knowing is half the battle”.

Full Disclosure

YL Ventures is a Savage Security client. Savage Security does not take payment for market research, but accepts payment to advise YL Ventures and its portfolio companies from time to time.


Medigate takes a surgical approach to protecting medical devices from cyberattacks was originally published in Savage Security Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

This is a Security Bloggers Network syndicated blog post authored by Adrian Sanabria. Read the original post at: Savage Security Blog - Medium