Sharing and caring: How Anita Finnegan manages data security in medical devices

10 Jan 2020

Anita Finnegan. Image: Nova Leah

With Nova Leah, Anita Finnegan stitches together cybersecurity and medtech in an intricate weave of strict regulation and exceptional safety standards.

Anita Finnegan had a good 2019. The Nova Leah founder and CEO saw her team outgrow its original home in the Dundalk Institute of Technology’s incubation centre and open its own office in an IDA business park. The company onboarded more of the world’s top medical device firms as customers and became ISO-certified for both quality management and information security.

Two rounds of funding secured under the Disruptive Technology Innovation Fund began to take shape as active projects. And the year ended with a string of accolades including the Spin-Out Company Award from Knowledge Transfer Ireland and Emerging Company of the Year at the Technology Ireland Awards – the latter of which meant securing Ibec’s nomination to represent Ireland in the Digital Europe Future Unicorn Award in February.

“[It] actually has been a lot that we’ve crammed into 12 months,” Finnegan told me as we spoke before the year’s end.

‘The new regulation that’s coming out around medical device cybersecurity actually specifically calls out the standards that I authored’

Nova Leah has been deemed a start-up to watch since its inception, born out of Finnegan’s own PhD research on medical device cybersecurity assurance. The security framework she developed at Dundalk Institute of Technology is what eventually spun out as Nova Leah.

This year, the company plans to raise Series A funding and Finnegan is “very hopeful and excited about the future”. The Series A round will help to further expand the team and its technology stack. In terms of markets, Finnegan is looking to the west coast of the US, as well as Canada, Australia and central Europe.

“We want to expand geographically because medical device cybersecurity regulations have now spread globally,” she explained. “[In] Canada and Australia, it’s mandatory now for medical device manufacturers to do something similar to what’s expected in the US. Now we’re starting to see that drip feed into Europe.”

Indeed, true to her prediction, the European Commission’s Medical Device Coordination Group opened the new decade with the publication of new guidance on cybersecurity for medical devices.

Staying ahead of the game

Thanks to a solid reputation built in the US regulatory environment, Nova Leah is in a position of strength to take on any standards a market imposes. In fact, Finnegan is such a high-level expert in this space that to say she wrote the book on medical device cybersecurity wouldn’t be overstating it.

“From early days in my PhD research, I got involved with decision-makers and policymakers in the industry and kick-started a relationship with the FDA. On the back of that I was invited to publish two medical device cybersecurity standards. The new regulation that’s coming out around medical device cybersecurity actually specifically calls out the standards that I authored,” she explained.

Having Finnegan and her insight at the helm means Nova Leah is in the know about regulatory shifts up to 18 months before they take shape. “We’re buying time to be able to develop those features into the application that will automate the process for medical device manufacturers. We can stay on top of it and deliver to the industry when these standards, best practices and regulations come into effect.”

Staying one step ahead is crucial in the cybersecurity space, and particularly in the continuously evolving regulatory and threat landscape Finnegan finds herself in between medtech and infosec. She values the “one person’s attack is another person’s defence” approach and advocates for transparency, information sharing and collaboration between all stakeholders.

“We encourage hospitals and we encourage medical device manufacturers and even users of connected medical devices to work together so that when something is identified – a potential vulnerability – it’s communicated with the other stakeholders,” she said.

Essentially, Nova Leah aims to ensure that connected medical devices are not used as a springboard to breach a healthcare network, the result of which can be devastating. We saw how an attack can impact healthcare in 2017 when WannaCry ransomware hit the UK’s National Health Service (NHS). Around 1pc of all NHS care was disrupted for a week from this attack and a number of diagnostic devices where either directly infected, or indirectly affected by being powered down to prevent further spread.

This, Finnegan explained, is the real security risk when it comes to medical devices – not the idea of hacking into an individual device to attack a patient.

“Obviously there is still that concern in the industry that at some point in time there may very well be a fatality caused by somebody accessing a connected device such as a pacemaker or an insulin pump in an unauthorised fashion and causing it to not function the way it should, but there are no recordings or notable events that suggest that has ever happened,” she said.

“Then again, that is something that would be very difficult to prove did happen, but it’s a sideline consideration in addition to securing networks of connected devices.”

Safety first

“What the industry itself is more fearful of is somebody penetrating a hospital environment via a weak link, which is a medical device, and taking the entire network down,” Finnegan explained. This could lead to hackers accessing patient health information, which she believes has even more monetary value than credit cards.

While Finnegan sees the clear value of maintaining expansive patient health information repositories for analytics that could enable more accurate diagnoses, better treatment or even pre-emptive healthcare, she is not as confident in the current capabilities of securing this data.

“From a technology posture perspective right now, we’re not ready to be able to do that. We should know that data is fully secured at rest, we should know that data is fully secured in transmission, and we should know that data is appropriately anonymised before it is taken and used. I just don’t think the industry is at that point yet to be able to extract those benefits from the data, but I see that as something that’s going to be an industry-changer at some point in the future when we get there,” she said.

‘We care about how we build our products and the processes used to build our products as much as our customers care about the safety of their products going out to protect patients’

At the end of the day, though her clients are the medical device manufacturers, there are patients’ lives to consider in Finnegan’s line of work. “It’s really important for us to be able to send that message out to our customers that we care about how we build our products and the processes used to build our products as much as they care about the safety of their products going out to protect patients and improve patient care,” she said.

Just as the best-case scenario for this level of security assurance is to build things the right way from the start, Finnegan applies this philosophy to the company itself. “One of our [messages] to our customers [is] that you should build the right processes, or build security into your products early as opposed to bolting something on at the end … We follow through on that mission in terms of everything from a growth perspective of the organisation.”

Beyond expanding her team and geographical reach, Finnegan hopes to see Nova Leah’s technology break out of medtech into other safety-critical industries, such as automotive and aviation. “That’s a late 2020 goal, but we do plan on using the proceeds of our raise towards expansion into those other markets,” she revealed.

Despite her global goals, she does hope to keep the company in its current HQ. “We’re an Irish-founded company. We’d like to keep as much of what we can do here in Ireland, but it may be something that we consider in terms of expanding team development into other areas,” she said. “We’ll wait and see what happens at the beginning of [2020] and how it unfolds in terms of our Series A raise.”

Elaine Burke is the host of For Tech’s Sake, a co-production from Silicon Republic and The HeadStuff Podcast Network. She was previously the editor of Silicon Republic.