HHS’ ARPA-H awards $50 million in funding for six research contracts to advance health data security

The U.S. Department of Health and Human Services’ Advanced Research Projects Agency for Health (ARPA-H) recently awarded US$50 million in funding for six research projects to advance technologies that could help secure healthcare data. These include automated medical device patching, ransomware intervention, cognitive health assistants for better data organization, cyber reasoning techniques, and electronic health record consolidation.

ARPA-H is a funding agency that supports high-impact research capable of driving biomedical and health breakthroughs that can deliver transformative, sustainable, and equitable health solutions for everyone. Its Digital Health Security (DIGIHEALS) initiative supports research that aims to protect the U.S. healthcare system’s electronic infrastructure against hostile threats. Focusing on security protocols, vulnerability detection, and automatic patching, DIGIHEALS seeks to reduce the ability for bad actors to attack digital health software and hardware, and to enable the prevention of large-scale cyberattacks.

Funding for awardees varies in amount and is contingent upon the recipient meeting aggressive milestones specific to their project.

“We applaud the administration’s recognition that the current paradigm of health care constantly trying to protect, through available means, the accelerated expansion of insecure third-party technology in our environments is not sustainable and is a losing battle,” John Riggi, AHA’s national advisor for cybersecurity and risk, said in a media statement. “We need a fresh approach.” 

He added that, “we hope this scientific initiative will lead to the development of new cybersecurity technologies that will help us more effectively prevent and respond to the ever-increasing wave of sophisticated cyberattacks in health care — to help protect patients.”

“These projects will seek to develop technologies that can address current gaps in cybersecurity for health care systems across the country, ensuring patients continue to receive care in the wake of a medical facility cyberattack,” according to Renee Wegrzyn, ARPA-H director.

The initiative awarded up to $16 million to AMdP, with an aim to develop Automated Medical device Patching (AMdP2), leveraging technologies originally developed for the Defense Advanced Research Projects Agency (DARPA) under the Assured MicroPatching (AMP) and other programs. If successful, AMdP2 will provide medical device manufacturers and cybersecurity firms with an automated firmware vulnerability detection and remediation capability.

The next ARPA-H DIGIHEALS project focuses on developing a Cognitive Health Assistant that Learns and Organizes (CHALO). With an award of $9.8 million, the research team will embark upon a two-year research and development effort focused initially on six topics, each bringing Department of Defense (DoD)-funded technologies together to adapt them to problems in health and wellness.

The ARPA-H DIGIHEALS initiative awarded $9.5 million to H-R3P (Healthcare Ransomware Resiliency and Response Program) that aims to develop evidence-based interventions to reduce the impact of cyberattacks on health care delivery organizations (HDOs). This is done by identifying ransomware incidents, understanding the impacts with respect to disruption on acute clinical workflows, and deploying substitute systems during a ransomware emergency. H-R3P’s goal is to develop clinician-focused tools and techniques for improving capacity for and quality of care during cyberattacks.

Awarded to the University of California San Diego School of Medicine, the contract award will help the researchers develop better ways to prevent and mitigate ransomware attacks, a type of cyberattack in which hackers attempt to extort money from organizations by blocking access to essential computer systems. Ransomware attacks affecting health care delivery have been increasing in frequency and sophistication in recent years. With so many parts of modern health care delivery being computerized, these attacks pose a significant and direct threat to patients’ lives, not just their privacy.

Apart from the risk that they pose to patients, ransomware attacks are also extremely costly. The average cost incurred by healthcare systems recovering from a cyberattack was $11 million dollars, according to IBM’s 2023 Cost of a Data Breach report.

The researchers will focus on identifying early indicators of cyber threats through simulated ransomware attacks, and will also create and test an emergency healthcare technology platform to be used in the event of an attack to ensure continuity of health care services. 

“Health care systems are highly vulnerable to ransomware attacks, which can cause catastrophic impacts to patient care and pose an existential threat to smaller health systems,” Christian Dameff, co-principal investigator, emergency medicine physician at UC San Diego Health and assistant professor at UC San Diego School of Medicine and UC San Diego Jacobs School of Engineering, said in a Monday media statement. “Developing protocols to protect health systems, especially rural and critical access hospitals, will help save lives and make health care better for all of us.”

“Some smaller systems can’t absorb the costs of a major ransomware attack, so when there is one, we ultimately lose those critical hospitals permanently,” Jeffrey Tully, co-principal investigator and an assistant clinical professor at UC San Diego School of Medicine, said. “This is a worst-case scenario for patients who live in remote areas where there may not be another hospital for miles.”

“During a ransomware attack, hospitals often have to switch back to inefficient pen-and-paper methods of administration, and this slows down health care delivery and introduces additional risks to patient safety,” said Dameff.

With a $10 million award, the RxCRS (Reliable and eXplainable Cyber Reasoning System for Digital Health Security) focuses on building new techniques to provide reliable, robust, and clear input for existing binary analysis techniques, and retrofitting them to ensure their soundness. 

Recent convergence in the development of program analysis, formal protocol analysis, cryptography, and biology has fostered an environment ripe for the augmentation of the binary analysis process with reliability, robustness, and clarity. RxCRS aims to reduce the effort and cost required to find and remediate vulnerabilities in legacy medical devices.

The EHR-FIST initiative covers digital format rehabilitation to improve interoperability of EHR systems and records, securing an award of $1.8 million. Its goal is to characterize the most problematic constructs in widely used electronic health record (EHR) data formats by discovering and reporting parsing bugs in existing EHR management systems. Once identified, procedures will be specified for reducing existing records into a safe form that facilitates unambiguous and secure interpretation of health records, while maintaining compatibility with existing EHR systems. 

EHR-FIST aims to improve the security and privacy of patient data without requiring patches to the software processing that data.

The  ARPA-H DIGIHEALS initiative also allocated up to $3 million to Software Bill of Materials (SBOMs) and Software Bills of Behaviors for effective cyber risk mitigation in healthcare systems comparative study. 

The project seeks to perform an in-depth investigation of SBOM shortcomings by comparing ‘traditional state-of-the-art SBOMs against novel functionality and behavior-based analysis using health care-relevant datasets.’ The behavior-based analytical approach aims to provide a more comprehensive automated cybersecurity risk assessment for medical devices than existing approaches.

Last month, the Department of Energy (DOE) through its Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced US$39 million of funding for nine new National Laboratory projects to advance the cybersecurity of distributed energy resources (DER). These projects will work towards advancing research, development, and demonstrations for new cyber tools and technologies for clean DER.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.