$50 million program aims to boost hospital cybersecurity

The Advanced Research Projects Agency for Health (ARPA-H) unveiled the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program, a cybersecurity initiative aimed at fortifying hospital IT infrastructure against cyberattacks. The program will channel over $50 million into developing advanced tools to empower IT teams in securing hospital environments.

Cyberattacks pose significant risks to hospital operations, potentially disrupting patient care and even leading to facility closures. The diversity and sheer number of internet-connected devices in hospitals complicate cybersecurity efforts. Unlike consumer products that receive regular updates, taking critical hospital infrastructure offline for patching can be highly disruptive. Consequently, delays in software updates leave devices vulnerable, sometimes for over a year, and unsupported legacy devices remain at risk for even longer periods.

“We continue to see how interconnected our nation’s health care ecosystem is and how critical it is for our patients and clinical operations to be protected from cyberattacks. Today’s launch is yet another example of HHS’ continued commitment to improving cyber resiliency across our healthcare system,” stated HHS Deputy Secretary Andrea Palm. “ARPA-H’s UPGRADE will help build on HHS' Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape."

Andrew Carney, UPGRADE Program Manager, highlighted the challenges hospitals face. “It’s particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks. With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that healthcare providers can focus on patient care.”

Addressing these cybersecurity challenges requires collaboration among IT staff, medical device manufacturers, health care providers, human factors engineers, and cybersecurity experts. The UPGRADE program aims to develop a comprehensive software suite tailored to enhance hospital cyber-resilience. This platform will enable proactive vulnerability assessments by simulating digital hospital environments. Once a threat is identified, the system can automatically develop, test, and deploy patches with minimal disruption to hospital operations.

“Health isn’t just something that impacts an individual, and ARPA-H is investing in ways to build stronger, healthier, and more resilient health care systems that can sustain themselves between crises,” said ARPA-H Director Renee Wegrzyn, Ph.D, in a statement. “UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care.”

ARPA-H's UPGRADE program is part of a broader effort to enhance digital health security. Last summer, ARPA-H launched the Digital Health Security Initiative, DIGIHEALS, focused on securing individual applications and devices. Additionally, ARPA-H has partnered with the Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge (AIxCC), a competition to secure open-source software used in critical infrastructure. UPGRADE aims to extend these efforts by securing entire systems and networks of medical devices, facilitating scalable solutions.

The UPGRADE program will soon issue a solicitation for proposals in four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses. Multiple awards are anticipated to foster diverse and innovative solutions.