The Department of Health and Human Services (HHS) has earmarked some $50 million for special projects to defend hospitals from cyberattackers.
The Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program is intended to secure systems and networks of medical devices to deploy solutions at scale, HHS said. The program will be operated by the Advanced Research Projects Agency for Health (ARPA-H).
The UPGRADE platform will be designed to evaluate and fix potential vulnerabilities, no easy feat in a system dominated by hundreds of internet-facing devices, officials said. Still, a major goal of the project is to detect threats, automatically procure or develop and test a patch, and deploy it in a hospital setting.
“UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care,” said ARPA-H director Renee Wegrzyn.
ARPA intends to solicit proposals from external providers to create a vulnerability mitigation software platform, develop systems to auto-detect vulnerabilities, build digital replicas of hospital equipment to deploy in emergency situations and develop custom defenses that run automatically.
The agency expects to grant multiple awards under the solicitation.
Opportunities for MSSPs?
Managed security service providers (MSSPs) may see opportunities in the project’s various tasks.
“Filling this gap in digital health security will take expertise from IT staff, medical device manufacturers and vendors, health care providers, human factors engineers and cybersecurity experts to create a tailored and scalable software suite for hospital cyber-resilience,” HHS said.
Hospitals and other medical facilities are fertile ground for cyber syndicates plotting for financial gain from selling valuable stolen records on the black market. Ransomware hijackers aim to reap millions from disrupting hospital operations, as seen in the massive Change Healthcare incident last February and the recent attack on Ascension, a nonprofit organization that runs 140 hospitals across 19 states.
“It’s particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” said UPGRADE program manager Andrew Carney. “With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care.”
ARPA-H's Digital Health Security Initiative dubbed DIGIHEALS kicked off last summer and is focused on securing individual applications and devices.