New Program Seeks to Strengthen Cyber Resiliency in Hospitals

The Advanced Research Projects Agency for Health (ARPA-H), a Department of Health and Human Services (HHS) agency, has started a new cybersecurity program that attempts to improve and systemize cybersecurity at U.S. hospitals to continue providing patient care.

ARPA-H’s goal is to facilitate better health results by aiding the creation of high-impact solutions to society’s most difficult health issues like cybersecurity. Healthcare cyberattacks upset critical systems and adversely affect patient care, possibly even contributing to the shutdown of healthcare services. To help deal with the issue, ARPA-H has introduced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) Program. Over $50 million is invested into developing software programs to help IT groups in hospitals better secure their systems, including protected health information, against cyberattacks.

Hospitals have many internet-connected devices that must be kept completely patched and updated. Updating software programs to resolve vulnerabilities requires disconnecting devices online, which is usually troublesome. Therefore, whenever patches are made available to correct known vulnerabilities, patch applications may take months. Actively supported internet-connected devices stay vulnerable for over a year and older hospital devices stay vulnerable for much longer. The UPGRADE Program seeks to improve and make cybersecurity automatic by creating software programs that can be utilized to check for vulnerabilities in hospital environments that hackers can exploit, and immediately create and release mitigations to avoid vulnerability exploitation; nevertheless, modeling hospitals is a problem because every hospital carries a unique number and variety of devices.

It is difficult to address all the problems of the software systems employed in a particular healthcare center, and this restriction allows hospitals and clinics to be exposed to ransomware attacks, stated UPGRADE Program Manager Andrew Carney. The UPGRADE program seeks to minimize the effort required to safeguard hospital equipment and ensure that devices are secure and working allowing healthcare providers to concentrate on patient care.

For the UPGRADE program to succeed, ARPA-H will need the expertise of the IT team, cybersecurity specialists, healthcare companies, medical device suppliers and vendors, and others to create a customized, scalable software collection for enhancing cyber resilience. The software program will study types of digital hospital conditions to determine software vulnerabilities. Upon identification of vulnerabilities, the program will automatically get or create a patch, which will be tried in the model setting so that it can be used with little disruption to hospital devices. The goal is to lessen the period that devices are vulnerable from a few months to a few days.

With the UPGRADE program, ARPA-H is in search of recommendations from expert teams on four technical zones: the development of a vulnerability mitigation software system, the creation of high-precision hospital equipment, the techniques for auto-discovery of vulnerabilities, and the auto-creation of custom protection. ARPA-H expects several awards with its upcoming solicitation.

According to HHS Deputy Secretary Andrea Palm, this UPGRADE program is another example of HHS’ continuing dedication to enhancing cyber resiliency throughout the health care system. ARPA-H’s UPGRADE can help improve HHS’ Healthcare Sector Cybersecurity Strategy ensuring that all hospital devices, big or small, can work safely and adjust to the changing environment.