HHS is offering $50 million to help providers fix ransomware vulnerabilities

The U.S. Department of Health and Human Services on Monday announced a new funding commitment to improve hospitals’ cyber resilience.

The new National Institutes of Health initiative, Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE, will invest more than $50 million to develop tools that protect hospital operations, secure medical equipment and help ensure continuity of patient care, the announcement said.


With the number of Internet-connected devices unique to each healthcare facility or organization and the variability of network-connected equipment in hospitals, it is difficult to ensure robust, up-to-date digital security.

Even brief disruptions to IT systems can have a critical impact on patient services, especially since the devices most critical to patient health and safety are often among the least protected.

The complexity of securing the number and variety of Internet-enabled medical devices can unknowingly open healthcare systems to ransomware and other cyberattacks, according to NIH, which runs UPGRADE through its Advanced Research Projects Agency for Health division, or ARPA-H.

“It is extremely challenging to model all the complexities of the software systems used in a given healthcare facility, and this limitation can uniquely expose hospitals and clinics to ransomware attacks,” said Andrew Carney, UPGRADE program manager, in a statement.

“We want to reduce the effort required to secure hospital equipment and ensure devices are safe and functional so healthcare providers can focus on patient care,” he said.

Tools that help IT teams better defend the hospital environments they are legally required to protect can improve cyber resilience in our healthcare system and fill the gap in digital healthcare security.

Such a feat – creating a publicly funded, customized and scalable hospital cyber resilience software suite – will require the expertise of hospital IT professionals, medical device manufacturers and suppliers, healthcare providers, human factors engineers and cybersecurity experts, ARPA-H acknowledged in the report. announcement.

The vision – a platform that enables proactive assessment of potential vulnerabilities by examining models of digital hospital environments for weaknesses in the software and automatically procuring or developing the necessary remediations – would also test the remediations in the model environment and apply necessary patches deploy “the devices used in a hospital with minimal interruption,” project leaders noted.

Software that can automate the deployment of patches within “a matter of days” after vulnerabilities are discovered could give hospital staff and patients “peace of mind,” said Renee Wegrzyn, director of ARPA-H.

“Health is not just something that impacts an individual, and ARPA-H is investing in ways to build stronger, healthier and more resilient healthcare systems that can sustain themselves between crises,” she added.

The new project falls under ARPA-H’s Digital Health Security Initiative, DIGIHEALS, which was launched in 2023 and focuses on securing individual applications and devices. DIGIHEALS recently partnered with the Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber ​​Challenge, a competition to secure open source software used in critical infrastructure.


Patch management is a challenge for healthcare IT teams who must not only keep pace with the growth of vulnerabilities that cybercriminals will explore as potential attack vectors, but also upgrade software on medical devices and systems that patients depend on for care at times. that vulnerabilities are discovered.

That’s especially difficult for medical devices because software becomes outdated quickly, security experts at the HIMSS24 Healthcare Cybersecurity Forum said in March.

Although they recommended having certain IoT devices patched during planned maintenance,

Tyler Reguly, senior manager of security research and development at Fortra, shared Healthcare IT news last month that artificial intelligence’s ability to help organizations keep pace with constantly evolving vulnerabilities is still in its infancy.

For now, organizations must rely on cybersecurity experts to stay informed, he said. In the future there will be plenty of opportunities for organizations to use it.


“ARPA-H’s UPGRADE will help build on HHS’ Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, can operate more securely and adapt to the changing landscape,” said HHS Deputy Secretary Andrea Palm , in a statement.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.