Hospitals & Facilities

HHS to invest over $50 million in hospital cybersecurity

An HHS agency is seeking proposals on ways to improve cybersecurity following a series of cyberattacks.
article cover

Illustration: Dianna “Mick” McDougall, Image: Getty Images

· 4 min read

Following a series of high-profileand costly—cyberattacks against the healthcare industry, the federal government is stepping in with a $50+ million initiative intended to boost hospital cybersecurity, a division of the Department of Health and Human Services (HHS) announced on May 20.

Large cybersecurity breaches in the healthcare sector have increased by 256% in the last five years, and ransomware incidents have increased by 264%, according to HHS data. A massive cyberattack against Change Healthcare began in February, for example, and lasted over a month, costing providers an estimated $100 million per day. And earlier this month, national hospital operator Ascension reported a cyberattack that’s forced many of its employees to transition to manual recordkeeping.

The initiative, called Universal Patching and Remediation for Autonomous Defense, or UPGRADE, is meant to shorten the time it takes hospitals to detect and respond to potential cyberattacks, per an ARPA-H press release. It will be run by an HHS division called the Advanced Research Project Agency for Health, or ARPA-H, which was formed in 2022 to support health and biomedical research.

One of the biggest challenges to improving hospital cybersecurity is the fact that hospitals use many different internet-connected devices, according to ARPA-H.

“It’s particularly challenging to model all the complexities of the software systems used in a given healthcare facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks,” Andrew Carney, a program manager for the UPGRADE program, said in the release. “With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that healthcare providers can focus on patient care.”

How it’ll work: ARPA-H is seeking proposals from health IT experts, medical devicemakers, healthcare providers, and other industry stakeholders that introduce ways hospitals can more rapidly detect and fix cybersecurity weaknesses with “minimal interruption to the devices in use in a hospital.”

Navigate the healthcare industry

Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.

Specifically, the agency is looking for proposals on how to: create vulnerability mitigation platforms, develop “digital twins” of tech equipment used in hospitals, rapidly and automatically detect software vulnerabilities, and develop defenses for such vulnerabilities.

ARPA-H plans to select multiple winning proposals, which will each receive a chunk of the more than $50 million the agency is investing in the UPGRADE program.

A draft solicitation including details on the program’s timeline will be posted this month, and awards will likely be given out later this year, according to Jen Roberts, resilient systems mission office director for ARPA-H.

Zoom out: The UPGRADE program is the latest in a series of steps the federal government has taken to boost hospital cybersecurity.

In December 2023, HHS announced a healthcare sector cybersecurity plan, which included giving hospitals financial incentives to implement cyber-safety protocols as well as helping them prioritize which steps to take to boost security measures.

Last year, ARPA-H also launched a project called Digital Health Security (Digiheals), an initiative to address cybersecurity vulnerabilities in healthcare. The division also partnered with the Defense Advanced Research Projects Agency within the Department of Defense in March 2024 on a project to use artificial intelligence to protect health systems against cyberattacks.

In the statement announcing UPGRADE’s creation, HHS Deputy Secretary Andrea Palm said the initiative is “yet another example of HHS’s continued commitment to improving cyber resiliency across our healthcare system.”

“ARPA-H’s UPGRADE will help build on HHS’s Healthcare Sector Cybersecurity Strategy to ensure that all hospital systems, large and small, are able to operate more securely and adapt to the evolving landscape,” she added.

Do you work in healthcare or have information about the industry that we should know? Email Maia at [email protected]. For confidential conversations, ask Maia for her number on Signal.

Navigate the healthcare industry

Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.