US Hospital Cybersecurity Gets US$50 Million Boost from HHS

The US Department of Health and Human Services (HHS) is launching a US$50 million initiative to bolster cybersecurity defenses for hospitals across the country, aiming to counter evolving digital threats targeting the healthcare sector.

Dubbed the Universal PatchinG and Remediation for Autonomous Defense (UPGRADE) program, it seeks to fortify entire systems and networks of medical devices, enabling widespread deployment of security solutions. This endeavor builds upon ARPA-H's prior endeavors, such as the Digital Health Security Initiative, which focused on safeguarding individual applications and devices.

Under the guidance of the Advanced Research Projects Agency for Healthcare (ARPA-H), the initiative invites proposals from private sector entities to develop a comprehensive vulnerability mitigation platform and an automated system for detecting vulnerabilities..

Additionally, the program aims to create digital replicas of hospital equipment for emergency testing and deployment, along with automated defenses tailored to hospital environments.

"It is particularly challenging to model all the complexities of the software systems used in a given healthcare facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks," said Andrew Carney, UPGRADE Program Manager. "With UPGRADE, we want to reduce the effort required to secure hospital equipment and ensure devices are secure and functional so healthcare providers can focus on patient care."

The program’s  announcement coincides with a recent cyberattack on Ascension Health System, which left thousands of hospitals without access to digital medical records for more than two weeks. Several US healthcare organizations have reported cyberattacks in recent months, prompting calls for legislative action.

HHS officials cited the diversity of connected devices within healthcare networks as a significant obstacle to improving cybersecurity. This diversity makes it easier for attackers to exploit vulnerabilities across multiple servers, complicating efforts to implement timely security patches.

Health-ISAC, a  healthcare sector information-sharing organization, reported nearly 1,000 exploitable bugs in medical products in its 2023 State of Cybersecurity for Medical Devices and Healthcare Systems report. The agency aims to automate the acquisition, testing, and deployment of fixes to minimize disruptions to hospital operations. 

Renee Wegrzyn, Director, ARPA-H, stressed the program’s goal of building resilient healthcare systems capable of withstanding cyberthreats.