Uncle Sam to inject $50M into auto-patcher for hospital IT

The US government's Advanced Research Projects Agency for Health (ARPA-H) has pledged more than $50 million to fund the development of technology that aims to automate the process of securing hospital IT environments.

ARPA-H has called this program Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE for short. The agency basically wants techies to get together and build a suite of software tools that can scan for vulnerabilities and weaknesses in hospital computer systems, and then automatically deploy patches for identified threats, developing and testing fixes and mitigations as needed.

As such, the agency this week invited teams to apply for funding totaling tens of millions of dollars to create UPGRADE and see it through to completion.

Modern medical facilities typically use a lot of internet or network-connected devices, and taking these offline to patch or protect them can disrupt patient services. Not patching them, however, leaves clinics vulnerable to compromise. To accommodate these hospital-specific concerns, the UPGRADE platform will test software fixes in a model environment before deploying them "with minimum interruption" to the devices that need them, if the plans come to fruition. 

The project thus seeks participants focused on four specific areas: Creating a vulnerability mitigation software platform; developing digital twins of hospital equipment; auto-detecting flaws; and auto-developing custom defenses.  

ARPA-H is a US government funding agency that President Joe Biden created two years ago. It's tasked with making "pivotal investments in breakthrough technologies" that advantage medicine and healthcare — specifically technologies that "cannot readily be accomplished through traditional research or commercial activity." And its director reports to the US Dept of Health and Human Services (HHS) Secretary.

"We continue to see how interconnected our nation's health care ecosystem is and how critical it is for our patients and clinical operations to be protected from cyberattacks," HHS Deputy Secretary Andrea Palm said in a statement. "ARPA-H's UPGRADE will help build on HHS' Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape."

HHS, incidentally, sets hospitals voluntary healthcare-specific cybersecurity performance goals that look likely to become mandatory.

• Ransomware can mean life or death at hospitals. DEF CON hackers to the rescue?
• Ignore Uncle Sam's 'voluntary' cybersecurity goals for hospitals at your peril
• Uncle Sam urges action after Black Basta ransomware infects Ascension
• UnitedHealth's 'egregious negligence' led to Change Healthcare ransomware infection

UPGRADE, and what it hopes to accomplish, is a big task. It's also potentially a life-saving one, as ransomware and other criminal gangs increasingly target medical facilities with the intent of locking IT and medical staff out of critical systems needed to deploy ambulances, provide medications and services, and access patients' vital information.

"Healthcare is both acutely being targeted, and it has been more and more targeted over the last few years," ARPA-H program manager Andrew Carney told The Register in an earlier interview. "It's also uniquely sensitive to disruptions compared to many other critical infrastructure sectors."

Carney, at the time, was discussing another recent ARPA-H partnership, this one with the Defense Advanced Research Projects Agency (DARPA) for the Artificial Intelligence Cyber Challenge (AIxCC).

AIxCC is the two-year competition that DARPA announced last summer at the annual Black Hat conference in Las Vegas. It focuses on building AI-based tools that automatically secure code used in critical infrastructure. Participants in this challenge are now competing in trials to see which teams will advance to the semifinals at DEF CON in August. 

During the semi-finals, seven teams will each be awarded $2 million before advancing to the final competition at the DEF CON conference in 2025. ®