OODA Loop – HHS Launches $50 Million ARPA-H Program to Improve Hospital Cybersecurity
In the wake of the Ascension and Change/United Healthcare ransomware attacks, The Department of Health and Human Services (HHS) and the Advanced Research Projects Agency for Health (ARPA-H) recently “announced the launch of the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program, a cybersecurity effort that will invest more than $50 million to create tools for information technology (IT) teams to better defend the hospital environments they are tasked with securing.”
HHS Offering $50 Million for Proposals to Improve Hospital Cybersecurity (Recorded Futures News)
The project comes as part of an urgent search for answers to address digital threats to the healthcare industry.
The Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) Program “aims to secure whole systems and networks of medical devices to ensure solutions can be employed at scale,” HHS said. The Advanced Research Projects Agency for Health (ARPA-H), which will run the program, is soliciting proposals from the private sector to create a vulnerability mitigation software platform and a system for auto-detecting vulnerabilities. They also want to develop digital replicas of hospital equipment that can be tested on and deployed in case of emergency, as well as custom defenses for hospitals that can be created automatically. “It’s particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” UPGRADE Program Manager Andrew Carney said in a statement. “With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care.”
“We continue to see how interconnected our nation’s health care ecosystem is and how critical it is for our patients and clinical operations to be protected from cyberattacks” – HHS Deputy Secretary Andrea Palm
HHS officials said in a statement on Monday one of the biggest hurdles to improving cybersecurity tools in the health sector is the diversity of internet-connected devices — many of which cannot be taken offline for security patches. Patches for devices used by hospitals and clinics also tend to take longer than a year to develop, leaving them vulnerable for much longer than most consumer products, according to HHS. Health-ISAC, an information sharing organization for the U.S. healthcare sector, said in a 2023 report that researchers had found nearly 1,000 exploitable bugs in medical products. The agency hopes to reach a point when remediations can be “automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital.” ARPA-H Director Renee Wegrzyn said the goal is to build “more resilient health care systems that can sustain themselves between crises.” “UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care,” Wegrzyn said.
ARPA-H Announces Program to Enhance and Automate Cybersecurity for Health Care Facilities
The program seeks to protect operations and ensure the continuity of patient care
Cyberattacks that hamper hospital operations can impact patient care while critical systems are down and can even lead to facility closure. A major hurdle in advancing cybersecurity tools in the health sector is the number and variety of internet-connected devices unique to each facility. While consumer products are patched regularly and rapidly, taking a critical piece of hospital infrastructure offline for updates can be very disruptive. Delayed development and deployment of software fixes can leave actively supported devices vulnerable for over a year and unsupported legacy devices vulnerable far longer.
Filling this gap in digital health security will take expertise from IT staff, medical device manufacturers and vendors, health care providers, human factors engineers, and cybersecurity experts to create a tailored and scalable software suite for hospital cyber-resilience. The UPGRADE platform will enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software. Once a threat is detected, a remediation (e.g., patch) can be automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital.
Addressing vulnerabilities in health care and data security is a challenge that ARPA-H is uniquely positioned to address. ARPA-H’s Digital Health Security Initiative, DIGIHEALS, launched last summer and is focused on securing individual applications and devices. The agency has also recently partnered with Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge, or AIxCC, a prize competition to secure open-source software used in critical infrastructure. UPGRADE aims to secure whole systems and networks of medical devices to ensure solutions can be employed at scale.
Through a forthcoming solicitation, UPGRADE seeks performer teams to submit proposals on four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses.
Multiple awards under this solicitation are anticipated. To learn more about UPGRADE, including information about the draft solicitation, virtual Proposers’ Day registration, and how to state interest in forming an applicant team, visit the UPGRADE program page.
For more information on HHS’ Cybersecurity Performance Goals and HHS’ cybersecurity work, visit HHS Cybersecurity Gateway.
UPGRADE – Universal Patching and Remediation for Autonomous Defense
The Big Question
What if every hospital could autonomously protect itself and patients from cyber threats?
The Problem
Hospitals are diverse in the care they provide, the devices they use, the vendors they purchase from, and the patients they serve. The variability in network-connected equipment across hospitals makes it difficult to ensure robust, up-to-date digital security. Even short disruptions to IT systems can critically impact patient services, especially as the devices most critical for patient health and safety are among the least protected. The complexities in securing the number and variety of internet-enabled medical devices may unwittingly open health care systems to ransomware and other cyberattacks.
The Current State
Unfortunately, cyberattacks that disrupt hospital operations can have lasting repercussions, limiting care availability for weeks or months or forcing facility closure. While proactive vendors patch consumer products with software weaknesses in days or weeks, health care technology can take over a year to patch at scale. Deploying security updates in hospitals is difficult because of the sheer number of internet-connected devices, limitations in health care IT resources, and low tolerance for device downtime needed to test and patch. Despite the size of the cybersecurity industry, health care sector challenges remain under addressed, even as more pieces of equipment are network-connected than ever before.
The Challenge
To protect hospital operations, keep devices secured, and ensure continuity of patient care, the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program envisions an autonomous cyber-threat solution that enables proactive, scalable, and synchronized security updates. Importantly, this software platform will enable simulated evaluations of potential vulnerabilities’ impact and adapt to any hospital environment across a wide array of common devices. The program aims to reduce the uncertainty and manual effort necessary to secure hospitals, guaranteeing that vulnerable equipment is fixed and allowing staff to focus on patient care.
The Solution
UPGRADE expects to bring together equipment manufacturers, cybersecurity experts, and hospital IT staff to develop a tailored and scalable software suite for hospital cyber-resilience. This broad effort intends to secure whole systems and networks of medical equipment to ensure mitigations can be deployed at scale.
The program has four technical areas. Technical area 1 focuses on the creation of a vulnerability mitigation platform. Technical area 2 aims to create high-fidelity digital twins of equipment in hospital environments. Technical areas 3 and 4 seek to develop methods to rapidly and automatically detect software vulnerabilities and then confidently develop defenses for each.
Why ARPA-H
One of ARPA-H’s core focus areas is building resilient and integrated health care systems. By connecting autonomous digital security tools with hospitals that need them most, UPGRADE aims to develop systems that can sustain themselves between crises and fill a gap in digital health security.
Additional OODA Loop Resources
For further OODA Loop News Briefs and Original Analysis on these topics, go to:
The Social Engineering Tactics of Ransomware-as-a-Service Operator Black Basta: Last week – another high-impact ransomware attack in the healthcare sector, this time on Healthcare Giant Ascension. The attack has been attributed to a Russian non-state actor Black Basta – a “group…believed to have been started by former members of the infamous Conti ransomware collective, which dissolved in May 2022. Since then, Black Basta and its affiliates have hit over 500 organizations around the world, predominantly in North America, Europe, and Australia. Details here.
Social Engineering Remains the Coin of the Realm for Ransomware Gangs (or APTs- Advanced Persistent Threats): We have been on the social engineering (aka Human Risk Management or Human Engineering beat for a while – providing resources to our readership and the OODA Network regularly. Those resources are compiled here for individuals or organizations who want to follow up on some of the ideas presented in the 60 Minutes segment. We encourage follow-up and reviewing your threat vectors and vulnerabilities vis a vis the social engineering threat. There are plenty of pragmatic implementation resources here – especially in the OODAcast conversations with OODA affiliates who are the experts on the social engineering threat), which are a call to action.
After the Impact of the Change/United Healthcare Ransomware Attack, HHS Bolsters Healthcare Cybersecurity Initiatives: The ransomware epidemic is starting to feel like one continuous incident report and a growing national security concern – not to mention the dormant “ghost in the machine” capabilities that have already been positioned in the U.S. internetwork (by nation-state and non-nation-state players alike) as part of a strategic plan for a larger act of cyber war in the future. Following is a tick-tick (no pun intended) of the recent Change/United Health Group attack, which has been attributed to the Russia-affiliated ALPHV/Blackcat ransomware group.
Cyber Risks
Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk
Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat
Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.
Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat
Recommendations for Action
Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its methods of data collection, assessment, and decision-making processes for more insights: Decision Intelligence.
Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses
The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance
Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning
Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.