Dive Brief:
- An HHS agency revealed a new cybersecurity program Monday that aims to better safeguard hospitals as the healthcare sector faces increasing cyber threats that can derail patient care.
- The initiative, which comes out of the Advanced Research Projects Agency for Health, will invest more than $50 million to build a software suite that could automatically scan model hospital environments for vulnerabilities that could be exploited by hackers and quickly develop and deploy fixes.
- The project seeks to help hospitals keep their vast array of internet-connected devices up to date, preventing attacks and subsequent technology outages that can last for weeks and threaten patient safety.
Dive Insight:
Cyberattacks against the healthcare sector are on the rise, and the industry has already faced multiple major attacks this year.
In February, UnitedHealth-owned technology firm Change Healthcare was hit by a ransomware attack, disrupting key tasks like claims processing, payments to providers, eligibility checks and prescription fulfillment.
Months later, Ascension, a large Catholic health system that runs 140 hospitals across the country, reported it was facing its own ransomware attack. Facilities have been forced to divert ambulances, some pharmacies can’t fill prescriptions and providers might not be able to access electronic health records.
Attacks against hospitals can have severe consequences for patient care, and the fallout from a cyberattack can sometimes last for weeks. In one example early this year, it took Lurie Children’s Hospital in Chicago about a month to restore its Epic EHR after an attack forced the provider to take its computer systems offline.
Hospitals face significant challenges to keep their scores of connected devices patched to address security concerns, according to ARPA-H, an agency established two years ago to fund biomedical and health research.
While vendors can update consumer products in days or weeks, it might take up to a year to deploy a patch at scale in the healthcare sector, as hospitals can’t keep devices offline for long and they have limited IT resources.
The new project, called UPGRADE, will seek solicitations from experts in four areas: creating vulnerability mitigation software, developing “digital twins” of hospital equipment, automatically detecting vulnerabilities and creating custom cyber defenses.
“UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care,” ARPA-H Director Renee Wegrzyn said in a statement.
The project comes as the federal government has signaled an increased focus on healthcare cybersecurity. Early this year, the HHS released voluntary cybersecurity goals for the industry that aim to help organizations protect themselves and improve their response if an attack occurs.
Regulators want to require cybersecurity standards for hospitals too. The Biden administration’s proposed 2025 budget would appropriate more than $1 billion over ten years to help hospitals upgrade their cyber defenses — and eventually add penalties for those failing to follow basic practices.