Podcast with Vidya Murthy (WEMBA ’18) and Mike Kijewski (WG ’12) | MedCrypt

The hot take: Two Wharton grads have jumped into the burgeoning space of medical device cybersecurity and they are off to a hot start! Mike, Vidya and their team have raised more than $3M+ in funding and are currently in Y-Combinators’ Winter 2019 cohort. In this episode you get an overview of the space, why it matters and how MedCrypt is poised to play a big role.

Vidya’s and Mike’s career path before and after MedCrypt (1:20–4:30):

• Vidya first: 9 years of IT consulting out of undergrad.
• Joined CareFusion (bought by Becton Dickinson one week after she got there). Worked on data sensitivity/security over devices.
• Lived in San Diego, flew to SF every other week for two years to complete her Wharton Executive MBA.
• Mike next: undergrad degree in physics and became a teacher full time afterwards.
• Moved to get his graduate degree in the Medical Physics space and started a company to automate his prior job…at the same time went through HCM at Wharton.
• Sold his first company Gamma Basics to Varian Medical Systems and left in 2016 to start MedCrypt.

Overall view of medical device cybersecurity landscape (5:00–12:33):

• Started out as (~2014): how to secure sensitive PHI and not have HIPAA breaches. Soon after FDA pushed out guidance that framed this as a patient safety concern, not just related to data breaches.
• Depending on the type of device, the vendor may be hands off once the device is sold and the hospital system is in charge of the data security. This is evolving.
• The hospital doesn’t usually suffer financially from a device breach, it’s the medical device vendor that suffers due to recall (very expensive). Plus it’s the medical device vendor who suffers if they can’t get to market by not clearing the FDA’s latest guidance. “From a dollars and sense perspective, it’s the medical device vendor that have the most to lose here.”
• What medical device means: Anything the FDA considers. Can be everything from a scalpel (no embedded tech usually) to a pure software system like a Clinical Decision Support system.
• MedCrypt targets devices with (1) some type of computing and (2) some type of network connectivity
• More and more medical devices have both

Story of a Medical Device breach (12:33–16:17):

• 2016, Hollywood Presbyterian was attacked through a single vulnerability through a single device…whole hospital was held ransom for $3.6M in Bitcoin (link to news article).
• The hospital couldn’t continue operations, had no recourse other than to pay and get their information back online.
• Even a 4 minute delay in hospitals can lead to a 13% increase in adverse outcomes (link to news article).
• Non-exploited vulnerabilities still cause hardships. A St. Jude pacemaker was vulnerable…but employees of the company profited from shorting the stock and only patched the vulnerability a year later (link to news article).
• Mike’s grandmother had that exact St. Jude pacemaker! She was concerned about the risk but didn’t know what to do next.

MedCrypt origin story and overview (16:30–21:42):

• In 2014, patient safety started to become an issue in the medical device community, with some stories raising the profile of the issue (e.g. Dick Cheney having some wireless capabilities disabled for his pacemaker)
• Mike and Eric, along with Brett (cryptography professor/researcher at UPENN) took a look at the space and realized (1) there were few regulatory requirements and (2) market forces pushing hospitals to ask for this. They hypothesized this would change.
• Also — companies can only have 1 or 2 core competencies. They asked whether medical devices vendors would ever develop cybersecurity and cryptography as a core capability? Probably not.
• Summer 2015 started MedCrypt, raised $1M in seed from Friends/Family. Found that Med Device vendors didn’t care for cybersecurity at first. But once the FDA came out with guidance, those same vendors did a 180! (as Mike and team hypothesized).
• Winter 2019 Batch for Y Combinator, going through that right now.

Hiring Vidya to the team (22:00–24:33):

• Mike: “I didn’t hire a woman for the role. I hired the best person I had talked to, for the role. That happened to be Vidya.”
• Mike and Vidya started talking when Vidya was starting her 2-year WEMBA degree, and kept talking quarterly. Once second round of funding came in, she was the first hire.
• Vidya: “You no longer pick the opportunity, you pick the person”.

What is different about MedCrypt? (24:40–26:50):

• They are all medical device people who also have a security mindset. Understanding hospital use cases is a specialization of talent.
• Technology is moving towards 3rd party solutions (see AWS and Azure)
• Healthcare is moving towards service providers for efficiency and efficacy, and MedCrypt has cybersecurity as its core competency

What do we need to believe for MedCrypt to go from a million dollar company to a billion dollar company? (24:40–30:00):

• 1: computers (and networks + devices) will play an increasing role in healthcare. This is not really up for debate.
• 2: cybersecurity will continue to be a going concern. People will not all of a sudden stop hacking things and we won’t write perfectly secure software.
• 3: the needs of the healthcare industry around cybersecurity are different than the needs of other adjacent industries (this is probably the biggest leap). Mike and team believe that healthcare has its own specific needs.
• $900M-$1B industry in 2017, going up to ~$10B in 2022…with no obvious leaders at the moment.

Growth plan (hiring/ fundraising) (31:30–32:30):

• Need to hire folks to ensure positioning: pricing exercises, branding, what can the market bear?
• Summer 2019 should be able to fund several intern positions
• 2018 MedCrypt raised a round of funding (link to news article) so are in a good cash position right now. However most companies that go through YC raise some capital right after the program, so once they get through Winter YC batch, MedCrypt will evaluate what options happen in the mid-2019.

Closing thoughts (32:30-end):

• Vidya: healthcare is not as slow as it used to be. Massive change has happened in the last 5 years, especially in cybersecurity, so folks should jump in now. Happy to see that Wharton connections help bring me into the space.
• Mike: Wharton grads maybe traditionally assume that Product Manager or Product Marketing Manager roles inside Med Device vendors are the obvious application their business degree. But working for ancillary technology companies, without working inside the device company itself, can actually lead to worthwhile and scalable career.