Start-up of the week: Nova Leah

27 Mar 2017

Anita Finnegan, Nova Leah founder and CEO. Image: Nova Leah

Our start-up of the week is Nova Leah, which has developed an expert cybersecurity system for medical devices.

Nova Leah specialises in developing expert cybersecurity risk management systems specifically for medical devices,” explained Nova Leah founder and CEO, Anita Finnegan.

“With more and more connected devices like pacemakers, insulin pumps [and] MRIs now in use, the FDA has set out regulations for medical device manufacturers to provide evidence of cybersecurity assurance prior to market approval and while devices are operational.

‘My plan is that Nova Leah will be the number one solutions provider for intelligent cybersecurity risk management systems in the medical device industry’

“Our product, SelectEvidence, guides manufacturers through those cybersecurity processes in finding potential vulnerabilities specific to a medical device and identifying the most appropriate way to mitigate those vulnerabilities. SelectEvidence reduces the time spent on cybersecurity risk analysis by 80pc; it streamlines regulatory processes, reduces the likelihood of patient harm and product recalls, while meeting FDA requirements,” Finnegan explained.

The market

The current global medical device market is expected to reach $440bn by 2018.

“Our initial target market is the US medical device market. This is the largest medical device market valued at 38pc of the total global market and is currently worth $166bn approximately.

“There are an estimated 7,000 medical device manufacturers, of which 30pc of those are target customers,” Finnegan said.

The founder

Finnegan spent 12 years working in a number of highly regulated industries, mostly in engineering and quality or risk management-related positions.

“A few years back, I returned to education to do a conversion degree in computer science in Dundalk Institute of Technology (DkIT) and while I was there, a fantastic opportunity for a doctorate came up with the Regulated Software Research Centre in DkIT, which allowed me to take my previous industry experience and marry it with my newly learned IT knowledge.

“I had always planned to do a PhD at some point so I was delighted with this opportunity focusing on medical device cybersecurity assurance.

“This was the start of Nova Leah’s journey. The security framework that I developed during my PhD was the start of SelectEvidence.”

The technology

SelectEvidence is a cybersecurity system that supports manufacturers in designing, verifying and certifying medical devices to meet FDA cybersecurity recommendations, best practices for connected medical devices and industry security standards.

It allows manufacturers to implement cybersecurity requirements for their devices using a proven standardised, repeatable, traceable and auditable framework.

‘SelectEvidence is a cradle-to-grave solution, managing cybersecurity processes from requirements specification right through to product retirement’

“SelectEvidence is supported by repositories, which inform decisions during each step in the cybersecurity risk management process and allow full traceability from risk identification to risk treatment,” Finnegan said. “Repositories currently contain threats, vulnerabilities and security controls information.

“To reduce the time spent identifying and analysing risks, all three repositories are interlinked, which means each threat has an associated list of vulnerabilities and, in turn, an associated link to a catalogue of controls. Repositories are continuously researched and revised to reflect current industry findings in terms of trending security weaknesses and newly identified best practices.”

Finnegan said that in addition to handling “market approval” risk management processes, SelectEvidence has the functionality to continuously monitor and manage post-market (operational) risk management.

“SelectEvidence is a cradle-to-grave solution, managing cybersecurity processes from requirements specification right through to product retirement,” she added.

The system handles device revision control and traceability, locking historical revisions down to administrator access only.

SelectEvidence automatically generates the required FDA documentation for market approval and for post-market reporting. In addition, the tool generates the following reports:

  • Customer compliance reports – manufacturer disclosure statements
  • Verification traceability reports
  • Progress reports – threat tracking, risk evaluation reports etc
  • Cybersecurity plan outlining development and QA requirements
  • Functional test plans
  • SelectEvidence live dashboard

 Target acquired

“My plan is that Nova Leah will be the number one solutions provider for intelligent cybersecurity risk management systems in the medical device industry,” Finnegan said.

She explained that Nova Leah licensed the IP from DkIT and officially spun out in June 2016.

“Since then, we have secured seed investment, which meant we could build out our team, continue to develop our product and essentially work with potential customers through the sales cycle.

“We are currently onboarding our first major customers in Europe and the US, with a number of high-profile pilots upcoming in the first half of this year. We are expanding out to the US and have just opened a Boston office.

“At the moment, the plan is to attract follow-on investment later this year, to allow us scale up all aspects of the business to meet market demands.”

Steep learning curve

Finnegan said that there have been a lot of challenges in getting Nova Leah to where it is now.

“The steep learning curve around all aspects of creating and building the right business, raising money, finding the right team, deciphering good from bad advice, and all the risks that come with these challenges.

“For me, the excitement seeing the company grow – hitting objectives that were set out a year ago, knowing that every day will bring something new – far outweighs these challenges.”

Finnegan considers the start-up scene in Ireland to be quite vibrant, with plenty of networking opportunities to showcase start-ups and gather support.

“Ireland is a small country with a big start-up scene, which gives it a very social feel in terms of being able to identify who you need to know – investors, key hires, support programmes and more.

“Enterprise Ireland, IDA and Local Enterprise Offices are very approachable in supporting start-ups here in Ireland and internationally.”

Her advice to fellow founders is to study what the Irish industry has to offer in terms of start-up resources.

“If an accelerator programme provides the right support, there are plenty to choose from; choose the right one to suit your business and product needs best.

“Become acquainted with venture capitalists early, even if you are not ready for investment. Engaging with investors early can be valuable in terms of getting you investor-ready.

“Remember to think beyond the technology, broaden your understanding of the target industry and do the market research. Keep to your short-term plans, plan your longer-term goals and reassess as you go.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years