HHS offers $50M to help providers patch ransomware vulnerabilities

The Advanced Research Projects Agency for Health, ARPA-H, seeks to scale hospitals' cybersecurity capacity by automating patch deployments across networks and medical devices, speeding the time from vulnerability detection to software updates.
By Andrea Fox
04:26 PM

Photo: Martin Barraud/Getty Images

The U.S. Department of Health and Human Services on Monday announced a new funding commitment designed to improve hospital cyber resiliency.

The new initiative, Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE, will invest more than $50 million for the development of tools that protect hospital operations, keep medical devices secure and help ensure the continuity of patient care, according to the announcement.

WHY IT MATTERS

With the number of internet-connected devices unique to each healthcare facility or organization and the variability of network-connected equipment across hospitals, it has been difficult to ensure robust, up-to-date digital security. 

Even short disruptions to IT systems can critically impact patient services, especially as the devices most critical for patient health and safety tend to be among the least protected. 

The complexities in securing the number and variety of internet-enabled medical devices may unwittingly open healthcare systems to ransomware and other cyberattacks, according to HHS, which is spearheading UPGRADE through its Advanced Research Projects Agency for Health division, or ARPA-H. 

"It’s particularly challenging to model all the complexities of the software systems used in a given healthcare facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks," said Andrew Carney, UPGRADE program manager, in a statement.

"We want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that healthcare providers can focus on patient care," he said. 

Tools that help IT teams better defend the hospital environments they must secure by law could improve cyber resiliency across our healthcare system and fill the gap in digital health security. 

Such a feat – creating a government-funded tailored and scalable software suite for hospital cyber-resilience – will require expertise from hospital IT professionals, medical device manufacturers and vendors, healthcare providers, human-factors engineers and cybersecurity experts, ARPA-H acknowledged in the announcement. 

The vision – a platform that will enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software and automatically procure or develop the remediation needed – would also test remediation in the model environment and deploy needed patches "with minimum interruption to the devices in use in a hospital," project leaders noted.

Software that can automate patch deployment in "a matter of days" after vulnerabilities are detected, could give hospital staff and patients "peace of mind," said Renee Wegrzyn, ARPA-H director.

"Health isn’t just something that impacts an individual, and ARPA-H is investing in ways to build stronger, healthier and more resilient healthcare systems that can sustain themselves between crises," she added.

The new project follows ARPA-H's Digital Health Security Initiative, DIGIHEALS, launched in 2023 to focus on securing individual applications and devices. DIGIHEALS recently partnered with the Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge, a prize competition to secure open-source software used in critical infrastructure. According to an HHS spokesperson, all three initiatives represent the span of the ARPA-H's investments in cybersecurity.

THE LARGER TREND

Patch management is a challenge for health IT teams that must not only keep pace with the growth of vulnerabilities cybercriminals will explore as potential attack vectors, but also upgrade software on medical devices and systems that patients depend on for care at times when vulnerabilities are detected.

That is especially difficult for medical devices because software goes out of date quickly, security experts at the HIMSS24 Healthcare Cybersecurity Forum said in March.

While they advised catching certain IoT devices up on patching during scheduled maintenance, Tyler Reguly, senior manager of security research and development at Fortra, told Healthcare IT News last month that artificial intelligence's ability to help organizations keep up with constantly evolving vulnerabilities is still in its infancy.

For now, organizations should rely on cybersecurity experts to stay updated, he said. In the future, "There will be plenty of opportunities for organizations to put it to use."

ON THE RECORD

"ARPA-H’s UPGRADE will help build on HHS' Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape," said HHS Deputy Secretary Andrea Palm in a statement. 

This story was updated on May 21, 2024, to include comments from an HHS spoekesperson.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.