Governance & Risk Management , Standards, Regulations & Compliance , Vulnerability Assessment & Penetration Testing (VA/PT)
HHS Funds $50M to Spot, Patch Hospital Vulnerabilities
Research Agency Soliciting 'UPGRADE' Project Ideas to Help Boost Healthcare CyberThe highly targeted U.S. hospital sector could get a boost in avoiding cyberattacks with a $50 million investment by a federal research agency aimed at enhancing automation, vulnerability detection and remediation across a variety of devices in healthcare environments.
The Advanced Research Projects Agency for Health, or ARPA-H, which is part of the U.S. Department of Health and Human Services, said Monday that its newly launched Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE, program, is a cybersecurity effort to develop tools for IT teams within hospitals to better defend their environments against ransomware and other cyberattacks.
"ARPA-H's Upgrade will help build on HHS' healthcare sector cybersecurity strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape," said HHS Deputy Secretary Andrea Palm in a statement announcing the program.
The Upgrade platform will enable "proactive evaluation" of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software.
ARPA-H said it envisions the Upgrade program will offer hospitals an autonomous cyberthreat solution that enables proactive, scalable and synchronized security updates.
"Importantly, this software platform will enable simulated evaluations of potential vulnerabilities' impact and adapt to any hospital environment across a wide array of common devices. The program aims to reduce the uncertainty and manual effort necessary to secure hospitals, guaranteeing that vulnerable equipment is fixed and allowing staff to focus on patient care," ARPA-H said.
"Once a threat is detected, a remediation - such as a patch - can be automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital," ARPA-H said.
The Upgrade effort is expected to bring together equipment manufacturers, cybersecurity experts and hospital IT staff to develop a tailored and scalable software suite for hospital cyber resilience, ARPA-H said.
"This broad effort intends to secure whole systems and networks of medical equipment to ensure mitigations can be deployed at scale," the agency said.
ARPA-H is issuing a solicitation for "performer teams" to submit proposals on four technical areas of the project: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses, ARPA-H said.
The agency is also hosting on June 20 a "virtual proposers' day" webcast to provide more information to those interested in submitting Upgrade proposals. The registration deadline to attend the session is June 18.
The Upgrade project is one of several other efforts underway at ARPA-H to address healthcare security and related technology issues.
Last summer, ARPA-A launched the Digital Health Security Initiative, or Digiheals, which is focused on securing individual applications and devices (see: Feds Seek Innovative Ideas for Health Sector Security).
ARPA-H is also partnering with the Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge, or AIxCC, a prize competition to secure open-source software used in critical infrastructure.
HHS was granted authority to establish ARPA-H under the fiscal 2022 appropriations bill, which was signed into law by President Joe Biden in March 2022. The agency's mission is to improve the U.S. government's ability to accelerate biomedical and health solutions. ARPA-H is an independent entity within HHS' National Institutes of Health.