HHS offers $50M to help providers patch ransomware vulnerabilities

The U.S. Department of Health and Human Services on Monday announced a new funding commitment designed to improve hospital cyber resiliency.

The new National Institutes of Health initiative, Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE, will invest more than $50 million for the development of tools that protect hospital operations, keep medical devices secure and help ensure the continuity of patient care, according to the announcement.


With the number of internet-connected devices unique to each healthcare facility or organization and the variability of network-connected equipment across hospitals, it has been difficult to ensure robust, up-to-date digital security. 

Even short disruptions to IT systems can critically impact patient services, especially as the devices most critical for patient health and safety tend to be among the least protected. 

The complexities in securing the number and variety of internet-enabled medical devices may unwittingly open healthcare systems to ransomware and other cyberattacks, according to NIH, which is spearheading UPGRADE through its Advanced Research Projects Agency for Health division, or ARPA-H. 

“It’s particularly challenging to model all the complexities of the software systems used in a given healthcare facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” said Andrew Carney, UPGRADE program manager, in a statement.

“We want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that healthcare providers can focus on patient care,” he said. 

Tools that help IT teams better defend the hospital environments they must secure by law could improve cyber resiliency across our healthcare system and fill the gap in digital health security. 

Such a feat – creating a government-funded tailored and scalable software suite for hospital cyber-resilience – will require expertise from hospital IT professionals, medical device manufacturers and vendors, healthcare providers, human factors engineers and cybersecurity experts, ARPA-H acknowledged in the announcement. 

The vision – a platform that will enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software and automatically procure or develop the remediation needed – would also test remediation in the model environment and deploy needed patches “with minimum interruption to the devices in use in a hospital,” project leaders noted.

Software that can automate patch deployment in “a matter of days” after vulnerabilities are detected, could give hospital staff and patients “peace of mind,” said Renee Wegrzyn, ARPA-H director.

“Health isn’t just something that impacts an individual, and ARPA-H is investing in ways to build stronger, healthier and more resilient healthcare systems that can sustain themselves between crises,” she added.

The new project falls under ARPA-H’s Digital Health Security Initiative, DIGIHEALS, launched in 2023 to focus on securing individual applications and devices. DIGIHEALS recently partnered with the Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge, a prize competition to secure open-source software used in critical infrastructure.


Patch management is a challenge for health IT teams that must not only keep pace with the growth of vulnerabilities cybercriminals will explore as potential attack vectors, but also upgrade software on medical devices and systems that patients depend on for care at times when vulnerabilities are detected.

That is especially difficult for medical devices because software goes out of date quickly, security experts at the HIMSS24 Healthcare Cybersecurity Forum said in March.

While they advised catching certain IoT devices up on patching during scheduled maintenance,

Tyler Reguly, senior manager of security research and development at Fortra, told Healthcare IT News last month that artificial intelligence’s ability to help organizations keep up with constantly evolving vulnerabilities is still in its infancy.

For now, organizations should rely on cybersecurity experts to stay updated, he said. In the future, “There will be plenty of opportunities for organizations to put it to use.”


“ARPA-H’s UPGRADE will help build on HHS’ Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape,” said HHS Deputy Secretary Andrea Palm in a statement. 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Source link