The Advanced Research Projects Agency for Health (ARPA-H) announced the launch of the $50 million Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) cybersecurity program designed to improve IT security for healthcare environments.
The UPGRADE platform will simulate hospital settings to detect weaknesses, automatically procure or develop patches, test them, and deploy solutions with minimal disruption to hospital operations.
The program aims to extend this security to entire systems and networks of medical devices, ensuring scalable and comprehensive protection.
The agency, established within the U.S. Department of Health and Human Services (HHS) to drive high-risk, high-reward research in health and biomedical sciences, is spearheading the initiative under its Digital Health Security Initiative (DIGIHEALS), launched last summer to secure individual applications and devices.
The forthcoming solicitation for UPGRADE will invite proposals in four key areas: developing a vulnerability mitigation software platform, creating high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses.
The agency said multiple awards are anticipated under this solicitation and will help build on HHS’ healthcare sector cybersecurity strategy.
“UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care,” Renee Wegrzyn, director of the ARPA-H, said in a statement.
Since 2020, ransomware actors have targeted the healthcare industry for big payouts, causing threatening impacts upon hospitals and other facilities, often through exploitation of vulnerabilities.
Over the past year alone, ransomware has compromised more two thousand hospitals in the U.S, reported and known. Recent incidents at Ascension Healthcare and Change Health underscore the rising threat.
According to Ken Dunham, cyber threat director at Qualys Threat Research Unit, ransomware has targeted healthcare with significant impact over the past four years. “A diversity of hardware, software, and shared infrastructure—legacy and cloud—coupled with complex stakeholder requirements within a hospital environment naturally becomes one that is complex to secure and manage,” he said. Core fundamentals of risk management and de-risking are threat and vulnerability patch management as well as asset inventory and classification.
“When hospitals suffer downtime from a ransomware incident or similar threat, significant delays in normal operations occur,” Dunham said. This could include the inability to fulfill prescriptions, loss of access to patient records and information, and process breakdowns, forcing the use of manual paper and pen procedures that are prone to error. That puts lives at risk.
“Many medical devices and networks are not properly secured and hardened enough to defend against the most likely attack vectors of 2024,” Dunham said.
This requires prioritization to lower the risk factor immediately, especially for those that are Internet-facing with the highest attack surface and risk of attack.
A mid-sized hospital has an almost 17% chance of a ransomware event occurring this year, Padraic O’Reilly, chief innovation officer at CyberSaint, explained, with an average loss magnitude of $10 million. Social engineering comes next among these sort of attacks, followed by compromised or weak credentials.
“As we saw with Change Health, it was a combination of those vectors that led to significant downtime and the potential data breach of 170 million patients, not to mention the massive operational difficulties in insurance, pharmacy, and hospital payments,” O’Reilly said.
The proposed ARPA-H solution would aim to speed patch cycles upon hospital-typical M-profiles, which will harden the attack surface by closing vulnerabilities faster, O’Reilly acknowledged. “In theory, it is a very good idea. Hopefully, $50 million is enough to see it through, but that might be a bit optimistic.”
Hospitals must commit to a cyber risk management approach that engages all stakeholders – including management – if a program is to work at all. “Without engagement across the organization, projects such as these will hit any number of roadblocks,” O’Reilly said. “Information security professionals should commit to showing how their approach impacts the business side of hospitals in order to unlock the requisite resources.”
All hospitals should understand their exposures and plans to backup and recovery should there be an incident. O’Reilly explained, “The likelihoods and impacts are critical in this sector, involving patient data and human life; it is negligent to operate without such protections in place.”
O’Reilly said he believes healthcare has a “real opportunity” to improve its cyber risk management in the wake of such high-profile breaches. “Management should be brought in and understand the critical need for improved risk management,” he said. “Hopefully, programs like UPGRADE will help speed this much needed greater resiliency across the sector.”
Recent Articles By Author