HHS research arm to spend $50M on ‘revolutionary’ cyber tools

The new project comes amid sustained Congressional attention on HHS's role in overseeing healthcare cybersecurity in the wake of the Change Healthcare incident.

Amid relentless targeting of the health sector by ransomware attacks, the Department of Health and Human Services research arm says it will invest more than $50 million in advanced healthcare cybersecurity tools.

HHS’s Advanced Research Projects Agency for Health (ARPA-H) on Monday announced a “Universal PatchinG and Remediation for Autonomous DEfense” (UPGRADE) program. The goal is to build tools that help hospitals and healthcare systems more easily find and fix cyber vulnerabilities in their systems.

In a statement, HHS Deputy Secretary Andrea Palm said the new program would help build on the HHS cybersecurity strategy for the healthcare sector.

“We continue to see how interconnected our nation’s health care ecosystem is and how critical it is for our patients and clinical operations to be protected from cyberattacks,” Palm said. “Today’s launch is yet another example of HHS’ continued commitment to improving cyber resiliency across our health care system.”

UPGRADE program manager Andrew Carney said a major challenge is modeling the complexities in the myriad software used in any given healthcare facility, leaving many open to ransomware attacks.

“With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care,” Carney said in a statement.

A special notice announcing the new project details how ARPA-H envisions the new program developing a “revolutionary new cybersecurity platform for hospitals and health systems.” The idea is to help hospital IT teams manage the “massive complexity” of many health IT environments.

“UPGRADE envisions a semiautonomous cyber-threat mitigation platform that promotes proactive, scalable, and synchronized security updates, adaptable to any hospital environment, and across a wide array of the most vulnerable equipment classes,” the special notice states.

“This software platform will contain a suite of tools that enable real-time evaluation of potential vulnerabilities, and how corresponding security updates might impact hospital operations,” the notice continues. “This will empower hospital decision makers to deploy security remediations without risking the real-world operational downtime that threatens the continuity of patient care.”

ARPA-H detailed how the program will focus on four distinct technical areas, including creating the vulnerability mitigation software platform; developing “high-fidelity” digital twins of hospital systems; automatically detecting cyber vulnerabilities; and “auto-developing” custom cyber defenses.

The research agency said it plans to make multiple awards under the UPGRADE program. It will hold a proposers day on June 20.

ARPA-H’s new project comes amid sustained attention on health sector cybersecurity in the wake of the Change Healthcare ransomware attack. The February cyber incident took down the systems of the major health transactions provider, crippling the operations of hospitals and health systems across the country for weeks.

In addition to investigating the response by United Healthcare, Change Healthcare’s parent company, lawmakers have been probing the response of HHS, which is responsible for overseeing the cybersecurity of the healthcare sector.

“We must also assess the response of the federal government, which plays a critical role in these efforts,” Sen. Mike Crapo (R-Idaho) said during a May 17 Senate Finance Committee hearing on the Change Healthcare breach. “HHS has a responsibility to serve as a central hub for coordination, convening insights from other branches of government and the private sector to deploy timely information about active threats, as well as best practices to deter intrusions and resources should an attack occur.”

HHS officials say they are elevating the role of the Administration for Strategic Preparedness and Response (ASPR) to serve as a hub for the agency’s sector cybersecurity efforts, which span multiple components and offices.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories