US Unveils $50M Program to Help Hospitals Patch Cybersecurity Gaps


The US government has introduced a new $50 million program aimed at developing cybersecurity tools to safeguard hospital environments from detrimental cyber-attacks.

Announced by the Advanced Research Projects Agency for Health (ARPA-H), a division of the Department of Health and Human Services (HHS), the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program was unveiled on May 20.

The initiative seeks to empower hospitals to automate vulnerability management across all their systems and devices, ensuring rapid deployment of patches with minimal disruption to critical healthcare services.

Managing vulnerabilities in hospital settings presents unique challenges due to the diverse and numerous internet-connected devices found in each facility, many of which are outdated and no longer supported.

Additionally, taking hospital infrastructure offline for updates can cause significant disruption, leading to delays in implementing crucial security patches.

How the UPGRADE Program Works

UPGRADE aims to address these challenges by proactively evaluating potential vulnerabilities in healthcare facilities, examining models of digital hospital environments to identify software weaknesses.

Once a threat is identified, the program envisions automatically procuring or developing a remediation solution, testing it in the model environment, and deploying it with minimal disruption to hospital devices.

To achieve these goals, UPGRADE is seeking performer teams to submit proposals in four technical areas:

  1. Creating a vulnerability mitigation software platform
  2. Developing high-fidelity digital twins of hospital equipment
  3. Auto-detecting vulnerabilities
  4. Auto-developing custom defenses

Renee Wegrzyn, Director of ARPA-H, emphasized that this investment is part of the US government’s strategy to build more resilient healthcare systems capable of withstanding crises.

Wegrzyn stated, “UPGRADE will expedite the process from identifying a device vulnerability to safely deploying automated patches in a matter of days, providing confidence to hospital staff and reassurance to patients under their care.”

ARPA-H added that it anticipates awarding multiple contracts under this solicitation. Interested parties can express their intention to form a performer team via the UPGRADE program page.

Addressing the Surge in Healthcare Cyber-Attacks

This announcement follows a series of high-profile ransomware attacks on US healthcare organizations in 2024, resulting in significant disruptions to patient care.

One such incident involved a ransomware attack on healthcare payment provider Change Healthcare in February 2024, causing delays in prescription services and other critical patient operations.

Following the attack, Change Healthcare’s parent company, UnitedHealth, confirmed paying a ransom to the BlackCat ransomware group, reportedly amounting to around $22 million, to restore its systems.

The US government is currently investigating the Change Healthcare ransomware attack to determine if any protected health information (PHI) was compromised and if the company fulfilled its regulatory obligations.

In another incident in May 2024, US healthcare giant Ascension disclosed being targeted by a ransomware attack, leading to ambulance diversions and the rescheduling of patient appointments.