Skip to main content

A Little Help from My Friends: HHS Injects Money into the Cyberwar

May 22, 2024

We humans like to be moved, and music has the unique ability to touch our souls and affect our emotions like few other mediums. It can even have a physical effect on the ones imparting the music. Who can forget the supercharged performance of the inimitable Joe Cocker, with his flailing arms and gut-busting vocals, as he belts out his version of the Beatles’ “I Get By with a Little Help from My Friends?” He clearly believed in what he was singing. And we would all agree with him: it is indeed good to have friends—especially if they’re in high places. Significantly, the hospital community just got a little help from some highly placed friends in the form of cold hard cash.

We have in recent weeks sent out alerts on the cyberattack involving Optum’s Change Healthcare and how that event caused disruptive ripples across the hospital industry. Then, last week, we brought you an article dealing with a ransomware attack affecting the Ascension health system, with its 140 hospitals in 19 states. Because these kinds of attacks are on the rise, the federal government has decided to step in.

Who Are the Friends?

This past Monday, the U.S. Department of Health and Human Services (HHS) infused $50 million into the fight against ransomware attacks against the nation’s hospitals. According to some experts, the only hope of preventing the release of patients’ protected health information (PHI) and getting back functionality of other vital digitals systems once compromised is to meet the demands of the bad actors. In other words, hospitals have been forced to pay the ransom. Now, with this new federal initiative, hospitals may have a better chance of avoiding this fate.

Back in 2022, HHS added a new agency—under the aegis of the National Institutes of Health—that is charged with developing tools for hospital IT teams that enhance their cybersecurity measures and resources to combat ransomware. Known as the Advanced Research Projects Agency for Health (ARPA-H), this relatively new agency is up and running and is already making an impact in cyber defense.

What Is the Help?

On May 20, the ARPA-H introduced a new weapon in the battle against cyberattacks within the healthcare space. The agency is calling this new cyber-shield strategy the Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE, program. 

The concept behind UPGRADE is to provide capabilities to each hospital to autonomously protect itself and its patients from cyber threats. To put it another way, the aim is “to develop a tailored and scalable software suite of remediations and patches for hospitals, reducing the patching time for vulnerable healthcare products to days or weeks,” according to one source close to the initiative.

According to ARPA-H Director Renee Wegrzyn, PhD, in a May 20 news release, “UPGRADE will speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care.”

Will Hospitals Get By?

While the $50 million has already been pledged to the project, the tools have yet to be fully developed and implemented. The program will seek proposals in four technical areas:

  • Creating a vulnerability mitigation platform.
  • Developing high-fidelity digital twins of equipment in hospital environments.
  • Rapidly and automatically detecting software vulnerabilities.
  • Confidently developing defenses for each vulnerability.

The agency is making no promises and has no illusions as to the extent of the challenge before them. The UPGRADE program manager, Andrew Carney, related the following in a recent statement:

It’s particularly challenging to model all the complexities of the software systems used in a given health care facility, and this limitation can leave hospitals and clinics uniquely open to ransomware attacks. With UPGRADE, we want to reduce the effort it takes to secure hospital equipment and guarantee that devices are safe and functional so that health care providers can focus on patient care.

So, hospital executives and IT leaders will have to wait and see if these federal friends with their federal funds can truly help hospitals to get by in these times of smash-and-grab cyber tactics. At least there are those within the Washington beltway who are showing some initiative in defending hospitals. For that, at least, we can be grateful.

Get the Latest RCM News Delivered

Receive practical tips on medical billing and breaking news on RCM in your inbox.

Get in Touch