HHS Agency Launches Program to Develop Software Tools to Automate Healthcare Cybersecurity
The Advanced Research Projects Agency for Health (ARPA-H), part of the HHS, has launched the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program to help hospitals address cybersecurity vulnerabilities.
Under the new program, $50 million will be invested to develop a scalable suite of software tools that can be used by hospitals to identify security vulnerabilities in hospital environments, automate testing, and accelerate patching. “Once a threat is detected, a remediation – such as a patch – can be automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital,” said ARPA-H.
Cyber threat actors search for vulnerabilities to exploit to gain access to hospital networks, so the longer vulnerabilities remain unpatched, the greater the risk. The problem for hospitals is they have huge numbers of Internet-facing, networked devices, and those devices cannot be taken offline without causing disruption. When vulnerabilities are identified and patches are released, it can take months before hospitals apply those patches. The UPGRADE program aims to reduce the uncertainty and manual effort necessary to secure hospitals and decrease the time to patch vulnerabilities from months to a few days.
ARPA-H is seeking proposals spanning four technical areas of the UPGRADE program and will be issuing multiple awards to fund the development of the software tools. The first technical area is the creation of a vulnerability mitigation platform that will enable simulated evaluations of the impact of a vulnerability in a hospital environment and will pull security updates based on common devices used in hospital environments.
The second technical area involves creating high-fidelity digital twins of devices used in hospital environments for testing, the third is a method for detecting vulnerabilities in software, and the fourth involves developing defenses to fix those vulnerabilities and automate patch deployment.
โItโs particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,โ said Andrew Carney, UPGRADE program manager. โWith UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care.โ
The UPGRADE program will draw on expertise from government experts, healthcare providers, device manufacturers and vendors, and cybersecurity experts to develop scalable software solutions that can be used to improve cyber resiliency in the healthcare sector. The program has been welcomed by many stakeholder groups as a way of helping under-resourced healthcare organizations better protect against the growing number of cyberattacks that are costing the healthcare industry billions and are affecting the ability of healthcare providers to provide patient care.