U.S. launches $50Mn program to boost hospital cybersecurity
WASHINGTON, D.C., UNITED STATES—The United States government has unveiled a new $50 million program aimed at developing cybersecurity tools to protect hospitals from damaging cyberattacks.
The initiative is dubbed the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE). It was announced on May 20 by the Advanced Research Projects Agency for Health (ARPA-H), a division of the Department of Health and Human Services (HHS).
UPGRADE aims to enable hospitals to automate vulnerability management across all systems and devices, ensuring patches are quickly deployed with minimal disruption to critical healthcare services.
Addressing cybersecurity challenges in hospitals
Vulnerability management is particularly challenging in hospitals due to the number and variety of internet-connected devices unique to each facility. Many of these devices are legacy systems that are no longer supported.
Additionally, taking hospital infrastructure offline for updates can be very disruptive, leading to delays in crucial security patches.
How the UPGRADE program will work
UPGRADE aims to tackle these issues by enabling the proactive evaluation of potential vulnerabilities in healthcare facilities. The program will probe models of digital hospital environments for software weaknesses.
Once a threat is detected, remediation will be automatically procured or developed, tested in the model environment, and deployed with minimal interruption to the devices in use.
To develop these capabilities, UPGRADE is seeking performer teams to submit proposals in four technical areas:
- Creating a vulnerability mitigation software platform
- Developing high-fidelity digital twins of hospital equipment
- Auto-detecting vulnerabilities
- Auto-developing custom defenses
ARPA-H Director Renee Wegrzyn emphasized the importance of this investment, stating, “UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care.”
Defending against rising healthcare cyberattacks
The announcement follows several high-profile ransomware attacks on healthcare organizations in the U.S. in 2024, which have severely disrupted patient care.
Notably, a ransomware attack on Change Healthcare in February 2024 caused delays to prescriptions and other crucial patient services. UnitedHealth, Change’s owner, later confirmed it paid the BlackCat ransomware group around $22 million to restore its systems.
In May 2024, U.S. private healthcare giant Ascension revealed it had been hit by a ransomware attack, leading to ambulances being diverted and patient appointments being postponed.
The U.S. government is investigating these incidents to determine whether protected health information (PHI) was breached and whether the firms complied with their regulatory duties.