The US government has unveiled a new $50m program to develop cybersecurity tools to protect hospital environments from damaging cyber-attacks.
The Advanced Research Projects Agency for Health (ARPA-H), part of the Department of Health and Human Services (HHS), announced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program on May 20.
The initiative aims to enable hospitals to automate vulnerability management across all systems and devices used in their environments, ensuring patches are quickly deployed with minimum disruption to critical healthcare services.
Vulnerability management is challenging in hospital environments due to the number and variety of internet-connected devices unique to each facility. Many of these are legacy devices that are no longer supported.
Additionally, taking hospital infrastructure offline for updates can be very disruptive, meaning crucial security patches can be delayed.
How the UPGRADE Program Will Work
UPGRADE aims to tackle this issue by enabling the proactive evaluation of potential vulnerabilities in healthcare facilities, probing models of digital hospital environments for weaknesses in software.
ARPA-H then envisions that once a threat is detected, a remediation will be automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital.
To develop such capabilities, UPGRADE is seeking performer teams to submit proposals on four technical areas:
- Creating a vulnerability mitigation software platform
- Developing high-fidelity digital twins of hospital equipment
- Auto-detecting vulnerabilities
- Auto-developing custom defenses
ARPA-H Director Renee Wegrzyn said that the investment is part of build of the US government’s plan to build more resilient healthcare systems that can sustain themselves between crises.
“UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care,” she explained.
ARPA-H added that it anticipates “multiple awards” to be available under this solicitation. Applicants can declare an interest in forming a performer team via the UPGRADE program page.
Defending Against Rising Healthcare Cyber-Attacks
The announcement follows several high-profile ransomware attacks on healthcare organizations in the US in 2024, which has severely disrupted patient care.
This includes the ransomware attack on healthcare payment provider Change Healthcare in February 2024, causing delays to prescriptions and other crucial patient services.
Change’s owner UnitedHealth later confirmed that it paid the BlackCat ransomware group a ransom to restore its systems, reportedly around $22m, to restore its systems.
The US government is investigating the Change Healthcare ransomware attack to determine whether PHI was breached and if the firm complied with its regulatory duties.
In May 2024, US private healthcare giant Ascension revealed it has been hit by a ransomware attack, leading to ambulances being diverted and patient appointments being postponed.