HHS dedicates $50M to development of autonomous cyber defense tools

HHS announced the launch of the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program and a $50 million investment in developing autonomous security tools for hospital environments.

Spearheaded by the Advanced Research Projects Agency for Health (ARPA-H), a division of HHS, the program aims to bring hospital IT staff, equipment manufacturers, and cybersecurity experts together to develop a “scalable software suite for hospital cyber-resilience.”

The creation of the UPGRADE program was motivated by the growing complexity of securing devices across a healthcare ecosystem, as cyberattacks continue to disrupt patient care and operations.

Patching vulnerabilities remains a crucial action when it comes to mitigating cyber risk, but the variability and quantity of healthcare technology on a given hospital network can create delays in deploying timely patches.

The UPGRADE program consists of four technical areas, the first of which focuses on creating a vulnerability mitigation platform. In its final state, the platform will enable simulated evaluations of the impact of a given vulnerability and adjust security updates based on an array of common devices across a hospital environment.

The second technical area focuses on creating high-fidelity digital twins of equipment in hospital environments, while technical areas three and four aim to develop methods for automatically detecting software vulnerabilities and developing defenses to match.

“UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care,” said Renee Wegrzyn, ARPA-H director.

This announcement follows the creation of ARPA-H’s Digital Health Security Initiative (DIGIHEALS) last year, which aims to protect the healthcare sector’s electronic infrastructure from cyberattacks and fund research initiatives. By November 2023, ARPA-H had awarded millions in funding to various institutions to bolster research into healthcare cybersecurity topics.

“It’s particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” said Andrew Carney, UPGRADE program manager.

“With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care.” 

ARPA-H is now seeking proposals focused on the four technical areas in the UPGRADE program and plans to issue multiple awards for funding.

The American Hospital Association (AHA) applauded the program's launch and HHS' acknowledgement of the cyber challenges in healthcare. 

"The research which will be empowered through the ARPA-H funding will yield technical solutions which should be applied strategically to help secure the entire sector," said John Riggi, AHA's national advisor for cybersecurity and risk.

"It is clear, health care is a critical infrastructure sector, which must not be left to defend itself on its own through uncoordinated and uneven capabilities. Continuing ransomware attacks on the health care sector represent an urgent national security, public health and safety issue. The UPGRADE program is an innovative and welcomed 'whole of nation' approach, which will combine the expertise of the health care sector and government experts."