Even as health care systems and hospitals were facing a raging pandemic last year, they also faced another aggressive and relentless battle: cyberattacks.
Subscribe to the Crunchbase Daily
Health care breaches increased by 55.2 percent in the last year, according to a recent study. The increase in attacks caused the Cybersecurity and Infrastructure Security Agency, the FBI, and the U.S. Department of Health and Human Services to send out a warning in late October that there was “credible information” cyberattackers were targeting health care providers and public health agencies.
The increase in attacks on the health care industry correlates with devices and machines at hospitals becoming more connected; things such as MRIs, beds and thermostats talking with each other and the network while giving attackers virtual backdoors and an ever-expanding attack surface to exploit.
As the attacks have increased, so has interest in the space, as many had predicted. Earlier this week, New York-based health care cybersecurity company Cylera closed a $10 million Series A, and late last month, Palo Alto-based Armis Security — a leader in IoT security including that for health care — raised $125 million at a $2 billion valuation. Two M&A deals around the space also occurred when on Feb. 23 CloudMD bought health care data integration and security provider IDYA4, and 10 days later Relay Medical acquired IoT cybersecurity firm Cybeats Technologies.
“Investor interest has grown in the last year or so,” said Michael Cortez, vice president at YL Ventures, which has invested in health care cyber company Medigate. “People are very interested. They are starting to see what an enormous market this is selling to health care.”
While only slightly more than a dozen companies specialize in health care cybersecurity, the sector is an outgrowth of IoT security and protecting connected devices. That sector had seen an increase in global venture funding from $26 million in 2015 to a high of $249 million in 2019, according to Crunchbase data. Investment leveled off last year, with only $133 million coming into the space, but this year already has witnessed $135 million invested, with Armis leading the way.
One reason for the small collection of companies specifically in health care security is that the space really popped up on investors’ radar five to 10 years ago.
Bob Ackerman, founder of Allegis Capital, remembers exactly when the sector came on his radar. He was having lunch with former Vice President Dick Cheney about seven years ago when the former VP told him that people in national security were concerned about his pacemaker possibly being hacked.
“I asked him how real of a threat that was,” Ackerman remembered. “He said, ‘About as real as a heart attack.’ ”
Since then, the industry has seen several massive attacks. In 2015, health care provider Anthem disclosed hackers had potentially stolen more than 37.5 million records after getting into its servers. Two years later, a ransomware strain called WannaCry infected the U.K.’s National Health System and affected 80 facilities even though the health system was not the direct target.
Attacks have not just focused on personal records and hospitals. Last year, research institutions doing COVID 19-related research reported being attacked, and the World Health Organization also saw an alarming increase in incidents.
While ransomware has been the most prevalent attack against health care systems and hospitals, data, research and other valuable IP also have been targets.
“Every aspect of society is being digitized, and everything that is digitized has a risk profile” Ackerman said.
That risk does not just exist in connected medical devices and the network in a hospital or a research facility. Many who invest in the space say that opportunity now extends outside the facility, especially as health care stresses telemedicine and in-home care.
“There’s no question that remote patient monitoring systems and how to secure them could become a thing,” said Taylor Whitman, managing director at Concord Health Partners, an investor in Cylera.
Sunny Kumar, a partner at GSR Ventures, was an early investor in IoT and health care security vendor ZingBox, which was one of the first deals in the space when Palo Alto Networks agreed to buy it in 2019. He has seen a proliferation of companies in the space in general the last few years, but especially the privacy-preserving computation and data space, as managing, protecting and transferring sensitive information has become more important.
He also expects security for voice interface technologies and authentication software — as people interact in new ways with health care providers — to see increased interest.
“That problem speaks to how more and more is being moved outside the hospital,” he said.
Deals and IPOs
While companies like Medigate, CyberMDX, Cylera and Armis battle larger players like Palo Alto Networks in the market, the question of the likeliest outcome for many of these players remains.
“There’s definitely been a ton of (investor) enthusiasm in the last year or year and a half,” Cortez said. “We feel strongly about this space. We are just scratching the surface.”
Whitman said he has no doubt there could be multiple winners in this space, especially with the money involved in health care.
“Health care spending is large and just getting larger,” he said.
Like any sector, however, some consolidation — such as ZingBox and Palo Alto Networks — likely is inevitable, he added.
Large cybersecurity companies or IT enterprises with cybersecurity divisions — think IBM — as well as medical device-makers — like Dexcom — also would be logical suitors in the sector, investors agreed.
While it’s hard to predict exactly when dealmaking will really spark, investors agree that venture almost assuredly will continue to flow.
“We are wide open to it,” said Ackerman about investing in health care cybersecurity. “This market is still in its early days.”
Illustration: Dom Guzman
Stay up to date with recent funding rounds, acquisitions, and more with the Crunchbase Daily.