Advanced Research Projects Agency for Health (ARPA-H), an agency of the US Department of Health and Human Services (HHS), has launched a new cybersecurity programme to safeguard the country’s hospitals from cyberattacks.  

Known as ‘Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE)’, this programme will allocate over $50m to develop tools that aid IT teams in defending hospital environments. 

The aim is to develop a software suite to detect potential vulnerabilities in digital hospital ecosystems and offer quick fixes.  

ARPA-H identifies the diversity of internet-connected devices in each facility as a significant challenge in advancing cybersecurity tools within the health sector.  

This signifies that unlike consumer products, which are regularly patched, updating critical hospital infrastructure can cause substantial disruptions while slow development/deployment of software fixes can leave supported devices exposed to risk for extended periods. 

To address this, UPGRADE will draw on the expertise of IT staff, healthcare providers, human factors engineers, cybersecurity experts and medical device manufacturers to develop a scalable and customised software suite for hospital cyber-resilience. 

The UPGRADE platform will assess potential vulnerabilities by testing digital hospital environment models for software weaknesses.  

Upon identification of a particular threat, a remediation, such as a patch, can be developed or produced automatically, followed by testing it in a model environment and final deployment causing minimal interruption to hospital devices. 

In addition, the programme will focus on protecting all systems and networks of medical devices, ensuring the deployment of solutions at scale.  

The agency said it will soon issue a solicitation for proposals on four technical areas, including development of high-fidelity digital twins of hospital equipment, creating a vulnerability mitigation software solution, auto-developing custom defences and auto-detecting vulnerabilities.  

It seeks to award multiple contracts from this solicitation. 

ARPA-H director Renee Wegrzyn said: “UPGRADE will speed up the detection of a device vulnerability to safe, automated patch deployment in a matter of days, providing confidence to hospital staff and peace of mind to people in their care.”  

HHS Deputy Secretary Andrea Palm added: “ARPA-H’s UPGRADE will help build on HHS' Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape."  

This development comes shortly after cyberattacks at some of the major US health systems, including UnitedHealth-owned Change Healthcare, which was hit by a ransomware attack and most recently Ascension, where a cyberattack disrupted clinical operations.