A $50 million research project hopes to make it easier to update the many different computer systems in use across hospitals, boosting their protection against ransomware and other security risks.
The US Advanced Research Projects Agency for Health (ARPA-H) has launched a project which it has called the Universal PatchinG and Remediation for Autonomous DEfense program (which handily shortens to Upgrade).
It seeks to fund the creation of tools to make it easier to update and protect IT systems in hospitals which are often hard to keep up to date, giving attackers a way in.
“It’s particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” said Upgrade program manager Andrew Carney.
Despite the size of the cyber security industry, health care sector challenges remain “under addressed”, even as more pieces of equipment are network-connected than ever before, said ARPA-H, a relatively new US agency that seeks to fund healthcare innovations.
The program aims to build an autonomous system to deliver “proactive, scalable, and synchronized security updates”. This software platform will offer simulated evaluations of a potential vulnerability’s impact and adapt to any hospital environment across a wide array of common devices, the agency said.
“The program aims to reduce the uncertainty and manual effort necessary to secure hospitals, guaranteeing that vulnerable equipment is fixed and allowing staff to focus on patient care,” it said.
Once a threat is detected, the idea is that a patch can be automatically ordered or developed, tested in the model environment, and then deployed with minimum interruption to the devices in use in a hospital. The plan is to speed up the time between the detection of a device vulnerability and an automated patch being deployed to a matter of days.
The Upgrade program wants teams to submit proposals on four technical areas: creating the vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses.
The home page for the program poses the question: “What if every hospital could autonomously protect itself and patients from cyber threats?”
The agency said cyber attacks that hamper hospital operations can impact patient care while critical systems are down and can even force hospitals to close their doors.
But a big problem is the number and variety of internet-connected devices unique to each hospital setting. While consumer devices and software are easily patched regularly and rapidly, taking a critical piece of hospital infrastructure offline for updates can be very disruptive, so rolling out patches to devices can take a year or more.
“Delayed development and deployment of software fixes can leave actively supported devices vulnerable for over a year and unsupported legacy devices vulnerable far longer,” it warned.
Healthcare cyber attacks are surging
In recent years, hospitals and healthcare providers have become a regular target of ransomware gangs. That’s because they have lots of highly personal information like medical records but often find it hard to protect every possible access point.
Similarly, hospitals often find it hard to schedule the downtime needed for patching and other updates. These gangs are banking on hospitals not having the time to rebuild systems from scratch and thus being more willing to pay a ransom than other sectors.
A prime example of the importance of patching in healthcare is the 2017 WannaCry ransomware attack against the UK’s National Health Service (NHS), which could’ve been prevented if hospitals had implemented a Windows software patch.
ARPA-H already has another digital health security initiative called Digiheals which is funding six projects covering areas such as automated medical device patching, ransomware intervention, cognitive health assistants for better data organization, cyber reasoning techniques, and electronic health record consolidation.
It’s also working with the Defense Advanced Research Projects Agency (DARPA) for the Artificial Intelligence Cyber Challenge, a prize competition to secure open source software used in critical infrastructure.
The American Hospitals Association welcomed the move, with John Riggi, AHA's national advisor for cyber security and risk, stating that the initiative could play a key role in bolstering security practices across the industry.
“It is clear, health care is a critical infrastructure sector, which must not be left to defend itself on its own through uncoordinated and uneven capabilities. Continuing ransomware attacks on the health care sector represent an urgent national security, public health and safety issue.”
