Cybersecurity has become a major challenge for the healthcare sector, as a growing number of data breaches and high-profile cyberattacks rock the industry.
Attacks can disrupt critical operations and jeopardize patient care — and it can sometimes take weeks for hospitals to fully recover.
But patching vulnerabilities in the plethora of devices hospitals use can be difficult for often under-resourced IT teams, according to Andrew Carney, program manager for resilient systems at the Advanced Research Projects Agency for Health.
ARPA-H, an agency of the HHS modeled after the Defense Advanced Research Projects Agency — which contributed to breakthrough technologies like the internet — recently announced a new initiative that will invest more than $50 million to help hospitals defend against cyber threats. The program, called Upgrade, is seeking proposals for a software suite that could autonomously detect vulnerabilities, develop fixes and deploy them.
Carney spoke with Healthcare Dive about why hospitals often struggle to keep their systems secure and how Upgrade could help.
Editor’s note: This interview has been edited for clarity and brevity.
HEALTHCARE DIVE: I know ARPA-H is a relatively new agency. Can you tell me about ARPA-H and what you’re hoping to achieve?
ANDREW CARNEY: ARPA-H’s overall mission is to accelerate better health outcomes for everyone in the entire nation. The general ARPA model — whether it’s DARPA, ARPA-E or ARPA-H — is about finding those opportunities where you can move big levers and remove trade-offs that other actors in the space might have to make to achieve similar progress. We look for problems where we can clearly define the important goals, the challenges standing in our way and how we measure progress toward those goals. And then, of course, the impact in this case to healthcare.
What is the big problem you're trying to solve with Upgrade?
Computer security even for well-resourced tech companies is still a challenge. You add the complexity of healthcare environments — where you have many, many, many different vendors, you have lots of different application and software stacks — it’s very hard even within a single hospital system. You still have this wide diversity of vendors across the hardware and software that you're managing.
In contrast, if you’re talking about a Fortune 500 company that may have hundreds of thousands of employees or millions of endpoints around the world, configuration management is still a challenge there. But you’re able to manage a single-digit number of operating systems, a small number of patch levels, and configuration management becomes achievable. It’s attainable to move your entire estate toward a converged goal. And in healthcare, that’s not really an option.
This seems to be a common theme among critical infrastructure sectors generally. But whether it’s a hospital or a water filtration plant, each one has been uniquely designed and deployed and outfitted. And so it’s hard to develop generalized solutions for them.
Then you take the availability requirements. If we lose power for hours or days, we can deal with that. If we lose water for hours or days, we can deal with that. If hospitals lose access to patient records and the healthcare technology they use to deliver care, minutes may have a significant negative impact on critical patients. Hours may be devastating. So this availability requirement is a pretty high bar, even among critical infrastructure sectors.
At another workplace, you might have off hours where you can say, “Okay, we’re going to work on this after five o'clock,” but there’s not a lot of time at a hospital when it’s okay to take anything offline to update it. Is that part of the issue too?
Absolutely. Scheduling downtime is contentious when you don’t have a cybersecurity issue. Reducing capacity, even temporarily, carries costs and risks.
So how do you envision Upgrade will work?
We’re about providing evidence to inform the decisions folks are making about, do we patch this? Do we take the system offline? Do we spend precious funding or IT staff hours to develop a mitigation or address a critical issue? When you’re presented with hundreds or thousands of issues over many of these devices, it’s very hard even just to triage and prioritize. So as we produce evidence as to the severity of a vulnerability or the stability of a patch, I think that reduces the friction for folks to take the appropriate steps in the first place.
Another big piece of Upgrade is providing the technology to facilitate whatever those actions are. So having the knowledge, having the confidence, that this is the right action, that this is the right way to spend resources is great. I think it's very helpful in this case. And then on top of that, can we empower the IT teams to do what needs to be done quickly and effectively?
Just thinking about the way we have all the interfaces that are used to modify these devices, per the manufacturer’s specifications, per their instructions, these are all meant for human consumption. We have all these technologies that are able to evaluate and manipulate interfaces meant for humans. They’re able to use the context clues, they’re able to use certain amounts of, I'll say, machine learning. It’s about understanding the environment, and then figuring out a way to move through it logically.
From a commercial perspective, hospitals or healthcare networks, especially smaller providers, are a pretty daunting market. They’re very diverse and have diverse needs and interests. The risk involved in creating the decision support, the automation for all of those scenarios would feel like a pretty big problem to tackle. But I think it needs to be, and I think it's an ARPA-hard problem.
Are there hospitals or health systems you’re targeting in particular, like a small hospital that maybe doesn’t have the cybersecurity chops? Or are you trying this to be as applicable to as many health systems as possible?
I think if we’re able to be successful with critical access and safety-net hospitals at that scale, then scaling up to larger hospital systems will be relatively straightforward. I don’t think that going the other direction will be as successful.