The Big Question 

What if every hospital could autonomously protect itself and patients from cyber threats? 

The Problem 

Hospitals are diverse in the care they provide, the devices they use, the vendors they purchase from, and the patients they serve. The variability in network-connected equipment across hospitals makes it difficult to ensure robust, up-to-date digital security. Even short disruptions to IT systems can critically impact patient services, especially as the devices most critical for patient health and safety are among the least protected. The complexities in securing the number and variety of internet-enabled medical devices may unwittingly open health care systems to ransomware and other cyberattacks. 

The Current State 

Unfortunately, cyberattacks that disrupt hospital operations can have lasting repercussions, limiting care availability for weeks or months or forcing facility closure. While proactive vendors patch consumer products with software weaknesses in days or weeks, health care technology can take over a year to patch at scale. Deploying security updates in hospitals is difficult because of the sheer number of internet-connected devices, limitations in health care IT resources, and low tolerance for device downtime needed to test and patch. Despite the size of the cybersecurity industry, health care sector challenges remain under addressed, even as more pieces of equipment are network-connected than ever before.  

The Challenge 

To protect hospital operations, keep devices secured, and ensure continuity of patient care, the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program envisions an autonomous cyber-threat solution that enables proactive, scalable, and synchronized security updates. Importantly, this software platform will enable simulated evaluations of potential vulnerabilities’ impact and adapt to any hospital environment across a wide array of common devices. The program aims to reduce the uncertainty and manual effort necessary to secure hospitals, guaranteeing that vulnerable equipment is fixed and allowing staff to focus on patient care. 

The Solution 

UPGRADE expects to bring together equipment manufacturers, cybersecurity experts, and hospital IT staff to develop a tailored and scalable software suite for hospital cyber-resilience. This broad effort intends to secure whole systems and networks of medical equipment to ensure mitigations can be deployed at scale. 

The program has four technical areas. Technical area 1 focuses on the creation of a vulnerability mitigation platform. Technical area 2 aims to create high-fidelity digital twins of equipment in hospital environments. Technical areas 3 and 4 seek to develop methods to rapidly and automatically detect software vulnerabilities and then confidently develop defenses for each.  

Why ARPA-H

One of ARPA-H's core focus areas is building resilient and integrated health care systems. By connecting autonomous digital security tools with hospitals that need them most, UPGRADE aims to develop systems that can sustain themselves between crises and fill a gap in digital health security.