An innovation agency within the US Department of Health and Human Services will fund research into better defenses for the US health care system’s digital infrastructure.
The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to health care systems, hospitals and clinics, and health-related devices.
For more than a decade, health care providers in the United States and around the world have been plagued by criminal cyberattacks, particularly ransomware attacks, that take advantage of medical facilities’ high-stakes work to attempt to extort big payouts. Efforts in recent years to crack down on and deter cybercriminal actors have made some limited progress, but health care attacks still occur regularly, disrupting vital services and endangering patients.
Health and Human Service’s research agency Arpa-H doesn’t specifically focus on cybersecurity innovation. The agency has programs running, for example, to spur advances in osteoarthritis treatment and medical imaging for cancer removal. But Digiheals program manager and longtime security researcher Andrew Carney says there is a dire need to make progress on digital defense tools for health care that are both effective and usable for medical facilities in practice.
“We’re looking for rapid and stupendous progress,” Carney told WIRED ahead of the announcement. “We want to ensure that the impact we have is significant but also equitably distributed. It doesn’t matter if we develop a perfect cure that makes a network completely impenetrable if a rural hospital can’t adopt it because of light IT staff or minimal or no security budget.”
Digiheals is seeking broad and diverse submissions related to vulnerability detection, software hardening, and system patching, as well as the expansion or development of security protocols. The initiative will accept submissions from anyone, including academic and nonprofit researchers or commercial industry. Carney emphasizes that, ultimately, the goal is to foster novel and inventive solutions regardless of where they come from or what category they fit into.
“We are looking to very rapidly cast a wide net,” he says. “I’d encourage folks even if they have ideas that don’t fit cleanly or won’t fit the timeline of the solicitation to come talk to us. We will make the process fit the ideas we receive as best we can.”
Carney points out that it is particularly difficult to study the real-world conditions of cybersecurity in health care, because each medical provider’s network is made up of a vast patchwork of systems, services, and devices that vary widely. And there is no margin for error in probing individual institutions’ systems or attempting to attack them intentionally to discover weaknesses. So Digiheals is also encouraging researchers to make submissions related to the types of security tools that are not working in health care settings and the reasons for these failings.
“Currently, off-the-shelf software tools fall short in detecting emerging cyber threats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative,” Arpa-H director Renee Wegrzyn said in a statement. “The Digiheals project comes when the US health care system urgently requires rigorous cybersecurity capabilities to protect patient privacy, safety, and lives.”
After years of damaging cyberattacks on hospitals and disruptions to patient care, the Digiheals initiative may feel like too little, too late. Earlier this month, a ransomware attack on the medical group Prospect Medical Holdings, which operates in Connecticut, Pennsylvania, Rhode Island and Southern California, caused disruptions at multiple hospitals and clinics in the network. The recovery process is ongoing. But Arpa-H is a new agency launched by the Biden administration last year to help address a number of issues in US health care that are massively overdue for investment.
“Health care gets the most difficult of the challenges from every angle,” Carney says. “We’re constantly working at near or above capacity, and any reduction in service can have real harm very quickly. But we have an ability to move very fast on new digital defenses, and it behooves us to do so. It would be irresponsible of us not to move fast.”