The Dundalk startup guarding next-generation medical devices from cyberattacks

As part of our weekly Startup Spotlight series, we profile Nova Leah.

By Jonathan Keane Reporter, Fora

CONNECTED MEDICAL DEVICES allow for easier monitoring of a patient’s health and provide valuable data to aid the development of treatments.

These wireless devices connect to the internet and software services to collect information and provide monitoring updates. They could include everything from defibrillators to pacemakers and insulin pumps.

But they also open up new avenues of risk, as hooking medical devices into broader networks also opens them up to potential cyberattacks and data breaches – unlikely as those events may sound.

Dundalk’s Nova Leah has tackled the issue with a software platform designed to help manufacturers make sense of their cybersecurity vulnerabilities and compliance.

The company’s chief executive, Anita Finnegan, was previously a quality manager at Northern Irish medical equipment firm Leckey before pursuing a PhD in the field of medical devices.

Her research focused on developing frameworks for manually checking and maintaining medical devices. This led to the spark that would become the firm’s software platform, SelectEvidence.

“SelectEvidence is the software version of my PhD,” she tells Fora.

The company was spun out of Dundalk Institute of Technology in 2015 with Finnegan availing of Enterprise Ireland’s commercialisation fund for third-level researchers. The fund provides investment for researchers to take their ideas to market.

Cyber risks

Cybersecurity rules for connected medical devices are becoming more stringent, led primarily by the Food and Drug Administration (FDA) in the US. The agency introduced an action plan for medical device safety earlier this year.

This includes requirements for correcting all software flaws in a timely manner and the need for a ‘Software Bill of Materials’, which lays out how a device’s software underpinnings work before it goes on sale.

“For a manufacturer to get a connected medical device into the market, they need to demonstrate to the FDA that they’ve conducted a risk assessment,” Finnegan explains.

“Once the product is in the market, they need to demonstrate to the FDA that they’re continuously monitoring that product for vulnerabilities. That’s essentially what our product takes care of for manufacturers.”

Nova Leah’s software platform helps manufacturers maintain an overview of their devices’ cybersecurity standards and to keep tabs on any risks that may emerge.

anita-nova-leah Anita Finnegan
Source: Innovation Showcase/YouTube

While manufacturers need to be aware of security risks in any technology product, the need to identify these risks and prevent them are particularly acute where there’s the potential for patient harm.

“Our product would identify any vulnerabilities associated with their components and it would suggest fixes to remove the risk or mitigate the risk,” Finnegan adds.

“Once the product is in the market, every day or every week (the software) will check the medical device’s risk assessment – if it finds any new vulnerabilities, it updates the manufacturer and updates them with the fixes for those vulnerabilities.”

The system provides not only an overview of vulnerabilities but also how to patch them. While some threats may be complex, they may include flaws as simple as equipment with a default password of ’1234′ that’s yet to be updated.

“It’s very simple to fix those, but the manufacturers have to understand the impact that particular vulnerability (can have),” Finnegan says.

US market

The US is a particularly important market for a company like Nova Leah, given not only the market’s size but also the number of international medical device makers that do business in the country.

The FDA continues to lead the charge, Finnegan says, but she expects the European and Asian regulators to follow suit.

“When I say we target the US, it doesn’t take us away from global medical device manufacturers. Any medical device manufacturer that trades into the US has to sit in line with the FDA’s requirements, which is a large majority of manufacturers,” she says.

“In Europe, there’s nothing specific to medical device security, although there are some institutes and bodies that do recommend that medical device manufacturers in Europe follow the US’s regulations and requirements.”

The company is also developing a version of its product to suit the hospital sector to help it monitor emerging threats as device security can’t be left solely to manufacturers, according to Finnegan.

“Hospitals and manufacturers are very much siloed and manufacturers may not always be very transparent about the security features and capabilities of a connected medical device,” she says.

“Now hospitals are becoming much more insistent that they want (information) so they can best manage the products.”

The new system is being piloted with around 12 hospitals in the US, where healthcare professionals have “visibility over the manufacturer’s monitoring”.

Source: Shutterstock/Monkey Business Images

“(Getting the system into) as many different sites to see it perform in different environments with different users, the better.”

Business model

Nova Leah operates a subscription-based business model where it licenses the software to the manufacturer. It has five customers to date.

A medical device maker typically pays for one licence fee for every model of connected medical device that it has in the marketplace.

The company isn’t disclosing any revenue figures, but it has raised €500,000 in funding from Enterprise Ireland and Dublin and Boston-based venture capital firm Cosimo Ventures.

The next step will be closing a new round of funding to ramp up its operations by expanding its staff. It currently has 12 people on the team, three of whom are in Boston, and aims to be at least double that figure by the end of the year.

“We expect to close that (funding round) in the next couple of weeks,” Finnegan says.

Sign up to our newsletter to receive a regular digest of Fora’s top articles delivered to your inbox.