Attacks and Vulnerabilities
Critical infrastructure
Medical
News
Regulation, Standards and Compliance
Risk & Compliance
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

HHS’ ARPA-H launches UPGRADE program to enhance hospital cyber resilience

May 22, 2024
HHS’ ARPA-H launches UPGRADE program to enhance hospital cyber resilience

The U.S. Department of Health & Human Services (HHS), through its Advanced Research Projects Agency for Health (ARPA-H), has introduced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program. The move works to bring together equipment manufacturers, cybersecurity experts, and hospital staff to develop a tailored and scalable software suite for hospital cyber-resilience. The UPGRADE program effort intends to secure whole systems and networks of medical equipment to ensure mitigations can be deployed at scale.

The UPGRADE platform will proactively assess potential vulnerabilities by examining digital models of hospital environments to identify software weaknesses. Upon detecting a threat, an automated remediation process, such as applying a patch, can be initiated. The remediation is then tested within the model environment and deployed seamlessly to the devices in use within a hospital, minimizing disruptions. With a commitment of over $50 million, this cybersecurity initiative aims to develop tools that safeguard operations and ensure uninterrupted patient care.

“We continue to see how interconnected our nation’s health care ecosystem is and how critical it is for our patients and clinical operations to be protected from cyberattacks. Today’s launch is yet another example of HHS’ continued commitment to improving cyber resiliency across our health care system,” Andrea Palm, deputy secretary of the HHS, said in a media statement. “ARPA-H’s UPGRADE will help build on HHS’ Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape.” 

“Health isn’t just something that impacts an individual, and ARPA-H is investing in ways to build stronger, healthier, and more resilient health care systems that can sustain themselves between crises,” said Renee Wegrzyn, ARPA-H director. “UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care.”

“It’s particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” explained Andrew Carney, UPGRADE Program Manager. “With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care.”

Carney detailed in a post that the UPGRADE program has four technical areas. Technical area 1 focuses on the creation of a vulnerability mitigation platform. Technical area 2 aims to create high-fidelity digital twins of equipment in hospital environments. Technical areas 3 and 4 seek to develop methods to rapidly and automatically detect software vulnerabilities and develop defenses for each. 

He envisions an autonomous cyber-threat solution that enables proactive, scalable, and synchronized security updates. Importantly, this software platform will enable simulated evaluations of potential vulnerabilities’ impact and adapt to any hospital environment across a wide array of common devices. The program aims to reduce the uncertainty and manual effort necessary to secure hospitals, guaranteeing that vulnerable equipment is fixed and allowing staff to focus on patient care.

He further outlined that the UPGRADE program expects to align equipment manufacturers, cybersecurity experts, and hospital IT staff to develop a tailored and scalable software suite for hospital cyber-resilience. “This broad effort intends to secure whole systems and networks of medical equipment to ensure mitigations can be deployed at scale.” 

Recent cyberattacks targeting hospitals have demonstrated that they can severely disrupt patient care, potentially leading to facility closures. One of the significant challenges in enhancing cybersecurity within the healthcare sector is the diverse array of internet-connected devices present in each facility. Unlike consumer products that receive frequent and prompt patches, updating a crucial component of hospital infrastructure can cause significant disruptions. Delayed creation and implementation of software fixes can leave supported devices vulnerable for extended periods, with legacy devices at even greater risk due to lack of support. 

Unfortunately, cyberattacks that disrupt hospital operations can have lasting repercussions, limiting care availability for weeks or months or forcing facility closure. While proactive vendors patch consumer products with software weaknesses in days or weeks, health care technology can take over a year to patch at scale. Deploying security updates in hospitals is difficult because of the sheer number of internet-connected devices, limitations in health care IT resources, and low tolerance for device downtime needed to test and patch. Despite the size of the cybersecurity industry, health care sector challenges remain under addressed, even as more pieces of equipment are network-connected than ever before. 

Addressing vulnerabilities in healthcare and data security is a challenge that ARPA-H is uniquely positioned to address. ARPA-H’s Digital Health Security Initiative, DIGIHEALS, launched last summer and is focused on securing individual applications and devices. The agency has also recently partnered with Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge, or AIxCC, a prize competition to secure open-source software used in critical infrastructure. UPGRADE aims to secure whole systems and networks of medical devices to ensure solutions can be employed at scale.  

Through a forthcoming solicitation, UPGRADE seeks performer teams to submit proposals on four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses. Multiple awards under this solicitation are anticipated.

Last week, the Australian National Cyber Security Coordinator (NCSC) revealed that a commercial health information organization had reported being the target of a significant ransomware data breach incident.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: Transforming Manufacturing Security: The 5-Step Approach to Rolling Out and Scaling Up OT Cybersecurity

Register: May 22, 2024 | 8am PDT | 11am EDT | 5pm CEST

http://industrialcyber.co

Related

2024.06.16 gauging maturity of secure remote access as cybersecurity demands grow in operational, industrial environments
Gauging maturity of secure remote access as cybersecurity demands grow in operational, industrial environments
Nozomi announces top risks in browser-based HMIs, concludes CVE study with AiLux RTU62351B
Nozomi announces top risks in browser-based HMIs, concludes CVE study with AiLux RTU62351B
New CISA report addresses zero trust in space, boosting security for satellites and ground infrastructure
New CISA report addresses zero trust in space, boosting security for satellites and ground infrastructure
NIST’s NCCoE focuses on OT remote access in water and wastewater sector cybersecurity architectures
NIST’s NCCoE focuses on OT remote access in water and wastewater sector cybersecurity architectures
Symantec reports Black Basta ransomware group suspected of exploiting zero-day in likely failed attack
Symantec reports Black Basta ransomware group suspected of exploiting zero-day in likely failed attack
Rockwell warns ICS sector of FactoryTalk View SE v11 vulnerability, recommends upgrade to patched v14.0
Rockwell warns ICS sector of FactoryTalk View SE v11 vulnerability, recommends upgrade to patched v14.0
Biden administration boosts healthcare cybersecurity following 128% rise in cyberattacks; ropes in Microsoft, Google
Biden administration boosts healthcare cybersecurity following 128% rise in cyberattacks; ropes in Microsoft, Google
Dutch report exposes expanded COATHANGER campaign, as cyber espionage campaign targets edge devices
Dutch report exposes expanded COATHANGER campaign, as cyber espionage campaign targets edge devices
Xona
XONA Systems secures $18 million in funding to bolster OT cybersecurity amid rising threats
DoD unveils Zero Trust Overlays document for achieving cybersecurity goals from 2021 Executive Order
DoD unveils Zero Trust Overlays document for achieving cybersecurity goals from 2021 Executive Order