HHS' ARPA-H offering more than $50M for hospital cybersecurity platform pitches

The Department of Health and Human Services’ (HHS’) research funding agency is floating more than $50 million to developers who can build a scalable cybersecurity platform able to keep hospitals' complex digital ecosystems up to speed.

Unveiled Monday morning by the Advanced Research Projects Agency for Health (ARPA-H), the Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE, program will offer “multiple awards” to those with the best pitches on how to detect weaknesses and deploy fixes with minimal interruptions to care delivery.

“It’s particularly challenging to model all the complexities of the software systems used in a given healthcare facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” UPGRADE Program Manager Andrew Carney said in a release. “With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that healthcare providers can focus on patient care.”

Connected devices and software have become the norm in hospitals, but cybersecurity experts say it’s common for numerous pieces of technology to fall behind on updates—or even remain on their out-of-the-box versions.

The situation is unique from consumer-grade connect devices, as “taking a critical piece of hospital infrastructure offline for updates can be very disruptive,” ARPA-H said in its announcement. Combined with the large quantity and variety of products in use among healthcare providers, the challenge leaves hospitals with numerous openings for attackers seeking to access sensitive data or demanding a ransom.

To address the issue, the UPGRADE program aims to build a scalable platform that will proactively probe for vulnerabilities and move toward addressing the issue.

More specifically, ARPA-H will be seeking outside proposals on four technical areas:

  • Creation of a vulnerability mitigation software platform
  • Development of high-fidelity digital twins of equipment in hospital environments
  • Auto-detection of software vulnerabilities
  • Auto-development of custom defenses

ARPA-H has not yet announced open and close dates for its solicitation, though it does have a “Virtual Proposers’ Day” on the books for June 20. The agency said it expects the challenge will likely require the combined expertise of “IT staff, medical device manufacturers and vendors, healthcare providers, human factors engineers and cybersecurity experts.”

“Today’s launch is yet another example of HHS’ continued commitment to improving cyber resiliency across our healthcare system," HHS Deputy Secretary Andrea Palm said in the announcement. "ARPA-H’s UPGRADE will help build on HHS' Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape."

Last year, ARPA-H launched a Digital Health Security Initiative that’s seeding investments into individual-level healthcare cybersecurity efforts. A few months back, it also partnered with the better-known Defense Advanced Research Projects Agency on a prize competition employing AI to secure critical infrastructure systems.

HHS has also been spinning up a broader plan to incentivize stronger cybersecurity defenses among the nation’s hospitals. The first part of that strategy, a collection of voluntary cybersecurity performance goals, was released near the top of the year.