A Department of Health and Human Services agency will deploy more than $50 million to organizations that create tools to ensure these devices are kept safe and functional. The agency, known as ARPA-H, is soliciting proposals that can help hospitals spot weaknesses in their software and then automatically deploy custom fixes within days of an attack.
HHS Deputy Secretary Andrea Palm, who leads the department’s cybersecurity work, said that recent attacks on the largest US health insurer and a major hospital system are “proof points of the need for the sector to really step up its game.” The federal government, she told Bloomberg in an interview, has a unique responsibility to help it get there.
In February, a UnitedHealth Group Inc. subsidiary faced a cyberattack that paralyzed much of the US healthcare system. It’s likely to be the largest breach the sector has ever faced, disrupting billions in payments to doctors and hospitals, and potentially exposing the personal data of one-in-three Americans. It was followed by another major attack this month at Ascension, one of the country’s largest health systems. The Catholic-affiliated hospital network had to divert ambulances, suspend elective surgeries and reschedule appointments as it worked to get systems up and running again.
While the attacks on UnitedHealth and Ascension have served as high-profile examples of the damage caused by cyber criminals, the US healthcare sector is increasingly under duress. Over the past five years, there’s been a 256% increase in large breaches reported to HHS involving hacking and a 264% increase in ransomware. “It’s Ascension today, it’ll be somebody else tomorrow, or next week, or the week after that,” Palm said.
The project to improve hospitals’ cyber defenses will be led by Advanced Research Projects Agency for Health, or ARPA-H, an agency modeled after an innovative Defense Department unit that was key in developing the GPS and the internet. ARPA-H, which is designed to quickly expedite the development of biomedical breakthroughs, began focusing on healthcare security vulnerabilities last summer. The new $50-million-plus project marks its largest cyber investment to date.
The project, known as UPGRADE, or Universal PatchinG and Remediation for Autonomous DEfense, is expected to dole out multiple awards.
Palm said that the stakes for addressing cyberattacks are higher in health care than many industries, demanding the US take on “a different kind of role” in supporting the market.
“US healthcare is a private-market system—we have levers in our regulatory tools, but that only goes so far,” Palm said. “It’s finally coming to the fore as a priority because of the increase in attacks that we’ve seen.”
The Biden administration is also seeking to put in place requirements for minimum cybersecurity standards for entities that receive money from Medicare and Medicaid, Bloomberg reported earlier this month. The time table for publishing those requirements isn’t yet known.
© 2024 Bloomberg L.P.