HHS offering $50 million for proposals to improve hospital cybersecurity

The U.S. Department of Health and Human Services (HHS) is launching a $50 million program to fund cybersecurity tools to protect hospitals from attacks.

The project comes as part of an urgent search for answers to address digital threats to the healthcare industry. 

The Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program “aims to secure whole systems and networks of medical devices to ensure solutions can be employed at scale,” HHS said. 

The Advanced Research Projects Agency for Health (ARPA-H), which will run the program, is soliciting proposals from the private sector to create a vulnerability mitigation software platform and a system for auto-detecting vulnerabilities. 

They also want to develop digital replicas of hospital equipment that can be tested on and deployed in case of emergency, as well as custom defenses for hospitals that can be created automatically. 

“It’s particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” UPGRADE Program Manager Andrew Carney said in a statement. 

“With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care.”

The program announcement coincides with yet another significant cyber incident affecting the sector. A cyberattack on the nonprofit healthcare system Ascension has forced dozens of hospitals to turn away ambulances and cancel appointments, and several other healthcare organizations have announced cyberattacks in the last month — prompting White House officials and members of Congress to float legislative ideas for how to deal with the attacks. 

“We continue to see how interconnected our nation’s health care ecosystem is and how critical it is for our patients and clinical operations to be protected from cyberattacks," said HHS Deputy Secretary Andrea Palm.

HHS officials said in a statement on Monday one of the biggest hurdles to improving cybersecurity tools in the health sector is the diversity of internet-connected devices — many of which cannot be taken offline for security patches. 

Patches for devices used by hospitals and clinics also tend to take longer than a year to develop, leaving them vulnerable for much longer than most consumer products, according to HHS. 

Health-ISAC, an information sharing organization for the U.S. healthcare sector, said in a 2023 report that researchers had found nearly 1,000 exploitable bugs in medical products.

The agency hopes to reach a point when remediations can be “automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital.”

ARPA-H Director Renee Wegrzyn said the goal is to build “more resilient health care systems that can sustain themselves between crises.” 

“UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care,” Wegrzyn said. 

ARPA-H has launched other cybersecurity efforts in the past, including last year’s Digital Health Security Initiative focusing on securing individual applications and devices.