UPGRADE launches to fortify medical devices against cyber threats

The ARPA-H Universal Patching and Remediation for Autonomous Defense (UPGRADE) program aims to create new tools to help hospitals’ information technology teams better detect and remediate cyber-threats.  

“Cyberattacks on hospitals are now a direct threat to patient safety and the resilience of America’s health system,” said ARPA-H Director Dr. Alicia Jackson. “This is not a problem we can solve one device, one patch, or one hospital at a time — it demands the kind of bold, integrated approach that only an ARPA-level effort can deliver. Through UPGRADE, ARPA-H is investing in breakthrough, automated cyber defenses so that every hospital, from major medical centers to rural critical access facilities, can secure vulnerable equipment in days instead of months and keep patient care running, even under attack.” 

“Hospitals face unique security challenges that can directly impact patient care,” said UPGRADE Program Manager Andrew Carney. “With UPGRADE, we’re empowering healthcare IT teams with the tools to proactively defend their complex web of medical device systems against ransomware attacks, so care is uninterrupted, and patients are safe.” 

The agency’s initial total commitment to these teams is up to $43 million. Other Transactions Agreements (not procurement contracts, grants, or cooperative agreements) vary in funding amount per awardee and are contingent upon each team meeting aggressive and accelerated milestones.   

Funding for awardees varies in amount and is contingent upon the recipient meeting aggressive milestones specific to their project. 

The UPGRADE performer teams are led by: 

• Aarno Labs, in Boston, seeks to revolutionize how hospitals address software vulnerabilities by providing formally verified, automatically generated remediations that can be deployed easier and with limited interruption.
• Galois, in Dayton, Ohio, aims to use novel algorithms to address discovered medical device cybersecurity vulnerabilities, through existing device and network modifications, while minimizing impact on patient care.
• The Georgia Institute of Technology, in Atlanta, will create a platform to help hospital IT teams automatically find, track, and fix vulnerabilities, and will use emulation to cover many types of medical devices. It will also automate how fixes are developed, tested, and deployed, making the process easier for users.
• Hawksbill, in Honolulu, will develop a first-of-its-kind model of cognitive behaviors and decision-making processes of expert hackers to create the next-generation of vulnerability detection tools for healthcare settings.
• HRL, in Malibu, Calif., aims to build an automated vulnerability detection system that seeks to mimic expert hackers’ workflows based on passively collected biometric data for validation.
• Northeastern University, in Boston, seeks to develop a comprehensive set of high-fidelity digital twins for devices across an entire hospital system to better help understand patching impacts and help IT-staff, administrators, and clinical staff make informed decisions to preserve patient safety and limit disruptions to hospital operations.
• Red Balloon Security, in New York City, will use its proprietary tools to help streamline the ability to analyze medical device software, which uses unique, complicated software packaging.
• Siemens Healthineers, in Malvern, Pa., seeks to develop a healthcare defense solution that will enable hospital systems, especially under-resourced facilities, to identify, prioritize, plan, and deploy security upgrades at scale for their connected medical equipment.
• Trail of Bits, in New York City, seeks to help supplement hospitals’ limited IT staff and resources by creating a novel, Artificial Intelligence/Machine Learning-driven, automated vulnerability remediation system to create and validate multiple distinct remedies for vulnerabilities discovered in medical devices.
• Vanderbilt University, in Nashville, Tenn., will empower hospitals to protect themselves against exploitable software vulnerabilities in medical devices by developing a Vulnerability Mitigation Platform to interface with a digital twin system of medical devices. 

For more information, visit the UPGRADE program page.