HHS Agency Launches Program to Improve Cyber Resiliency in Hospitals
A Department of Health and Human Services (HHS) agency, The Advanced Research Projects Agency for Health (ARPA-H), has established a new cybersecurity program that seeks to enhance and automate cybersecurity at U.S. hospitals to ensure the continuity of patient care.
ARPA-H’s mission is to accelerate better health outcomes by supporting the development of high-impact solutions to society’s most challenging health problems, and one of the biggest problems faced by hospitals is cybersecurity. Healthcare cyberattacks take critical systems offline and negatively impact patient care, potentially even resulting in the closure of healthcare facilities. To help tackle the problem, ARPA-H has launched the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) Program, which will invest more than $50 million into the creation of software tools that will help IT teams in hospitals better defend their networks against cyberattacks.
Hospitals have a vast array of internet-connected devices, all of which need to be kept fully patched and up to date; however, updating software to fix vulnerabilities means taking devices offline, which is often disruptive. Consequently, when patches are released to fix known vulnerabilities, it can take months before the patches are applied. Many actively supported internet-connected devices can remain vulnerable for more than a year and legacy devices in hospitals can remain vulnerable for considerably longer. The UPGRADE Program aims to enhance and automate cybersecurity through the development of software tools that can be used to scan hospital environments for vulnerabilities that could potentially be exploited by hackers, and quickly develop and deploy mitigations to prevent the vulnerabilities from being exploited; however, modeling hospitals is a challenge as each hospital has a unique number and array of devices.
“It’s particularly challenging to model all the complexities of the software systems used in a given healthcare facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” said UPGRADE Program Manager Andrew Carney. “With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
To ensure the success of the UPGRADE program, ARPA-H will draw on expertise from IT staff, cybersecurity experts, healthcare providers, medical device manufacturers and vendors, and others to develop a tailored, scalable software suite for improving cyber resilience. The software will probe models of digital hospital environments to identify software weaknesses, and when vulnerabilities are identified, will automatically procure or develop a patch, which will be tested in the model environment so it can be deployed with minimal interruption to hospital devices. The aim is to shorten the time that devices remain vulnerable from several months to a few days.
Under the UPGRADE program, ARPA-H is seeking proposals from performer teams on four technical areas: the creation of a vulnerability mitigation software platform, the development of high-fidelity digital twins of hospital equipment, and methods for auto-detecting vulnerabilities and auto-developing custom defenses. ARPA-H anticipates multiple awards under its forthcoming solicitation.
“Today’s launch is yet another example of HHS’ continued commitment to improving cyber resiliency across our health care system,” said HHS Deputy Secretary Andrea Palm. “ARPA-H’s UPGRADE will help build on HHS’ Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape.”
