Tech Security Bytes

,

Uncle Sam “Rescues” Healthcare: US Government to spend $50mm building security capabilities that already exist for customers who won’t (or can’t) use them

Cover image credit: seregam

TL; DR:

  • ARPA-H announced it will throw $50 million into the “UPGRADE” program to enhance cybersecurity for healthcare facilities
  • The program aims to develop automated vulnerability scanners and patching, digital environment twins, and other cybersecurity tools specifically for healthcare environments
  • However, the program misses the mark on many real cybersecurity challenges faced by healthcare providers “in the wild” – it seems a well-intentioned but misguided effort that leaves healthcare a tempting target for years to come
  • A more effective approach would be to encourage standardization, improve patching infrastructure, and hold manufacturers and service providers accountable for secure medical devices & supporting services

Intro & Background

The Recent ARPA-H Announcement

ARPA-H recently unveiled its UPGRADE program, a $50 million initiative aimed at enhancing cybersecurity in healthcare facilities. The program’s objectives are ambitious, targeting four main areas: vulnerability mitigation, digital twins of hospital infrastructure, and the development of automated cybersecurity solutions. Collaborations will span across various sectors, aiming to produce actionable research, products, and services.

A little bit about ARPA-H

ARPA-H, modeled after DARPA, was established in 2022 to drive transformative innovation in health research. Its mission is to “make pivotal investments to drive transformative innovation in health research and speed application of health breakthroughs.”

The agency is led by Dr. Renee Wegrzyn, a bioengineer with experience at DARPA and Booz Allen, with the new UPGRADE program headed by Andrew Carney, a seasoned security and vulnerability researcher with a background in DoD organizations like Raytheon and DARPA.

Although ARPA-H has launched numerous initiatives, including novel cancer treatments and restoration of eyesight to the blind, none have yet yielded results – which is in line with DARPA’s own operations.

    The announcement in detail

    According to the official program description and press release, the four main objectives of UPGRADE are:

    1. Developing an automated vulnerability mitigation system for medical devices and hospital networks.
    2. Creating digital twins of hospital infrastructure to simulate and test cybersecurity solutions.
    3. Enabling automated development of security patches for legacy medical devices and software.
    4. Deploying advanced monitoring and incident response capabilities tailored for healthcare environments.

    The UPGRADE program aims to produce actual products and services, not just theoretical research, through collaboration across companies, government agencies, etc, with ARPA-H acting as ringleader / coordinator.

    Why it’s (probably) all a big nothing-burger

    When you’ve only got one key device, or even two, “patching in waves” doesn’t really mean much…

    Much as I’d like to cheerlead hat for helping in a noted weak space in security (healthcare), looking at this under a critical lens should leave anyone skeptical…

    Real, ugly truths about tech security in hospitals

    Ask any practitioner who’s worked hospital tech about what the problems are vis a vis security, they’ll likely give you some combination of the following:

    • Budget & Staff: Hospital IT departments are notoriously underfunded and understaffed, including in their cybersecurity functions.
    • Non-Stop Operations: Critical devices can’t be taken offline easily for patching. It’s difficult to run phased patching on devices that are limited in number, in constant use, and CANNOT be “bricked” by a bad patch. You can’t ask a patient to hold her breath for 30 minutes while her respirator patches and reboots.
    • Long Lifespan of Equipment: Medical devices have traits that lead to a long field life – they are expensive, functionally reliable, yet also must run continuously. They are not refreshed every 18 – 24 months like common IT infrastructure – leading to higher probability of existing vulnerabilities.
    • Vendor Technology and Services: Many medical devices run on proprietary systems, incompatible with common security tools, and often written by engineers for whom “IT” is a second job, leading to expected security flaws. Hospitals also have limited visibility into vendor-managed services they often employ (a common problem in all third-party service security writ large).

    The UPGRADE program acknowledges these issues, noting “Deploying security updates in hospitals is difficult because of the sheer number of internet-connected devices, limitations in health care IT resources, and low tolerance for device downtime needed to test and patch”

    But how do the UPGRADE program’s objectives address them?

    UPGRADE: Practical Solutions to Today’s Problems, or Tilting at Windmills?

    Some of UPGRADE’s directives seem as well-placed as the lance of a certain fictitious Iberian nobleman..

    Let’s look at how UPGRADE’s objectives stack up against those common problems.

    • Automated Vulnerability Scanning and Patch Deployment – Existing solutions from vendors like Rapid7, Qualys, and Ivanti already offer these capabilities. The real challenges here are compatibility with proprietary and legacy devices and a solution to the “Zero downtime requirement”.
    • Automatic development of patches – This concept relies heavily on AI, which is still plagued by errors in 2024. Trusting these systems to autonomously code and deploy for critical medical devices (Drug pumps, neurostimulators, pacemakers..) poses significant risks. The deaths caused by THERAC-25 offers a cautionary tale on overly trusting computerized control of critical medical devices.
    • Digital Twins / virtual environment models – While potentially useful, these do not address the core issues of downtime, incompatibility with modern scanning tools, and vulnerable vendor services. Scanning a virtual replica of a proprietary tool my vulnerability solution can’t talk to doesn’t make me any more secure.

    What this really is – 2 lenses on UPGRADE

    A reaction to the news cycle and the need to visibly “Do something”

    You can’t swing a dead cat without hitting a headline about a healthcare related breach these days. Change Healthcare, HCA healthcare, Managed Care North America, dozens of hospitals in the last year.

    And so now we have a push from the top to “Do something” – agencies are mobilized, “make it better” directives passed down, and millions in funding allocated.

    If it seems cynical – it is. Healthcare’s security problems are the same today as they were 5 years ago. Anyone in the space has heard this all before.

    So yes, I’m taking a skeptical view of what seems a reactive move to “save face” by showing responsiveness…when proactivity would have been far better.

    The push to “do something” is most often a recipe for off-target solutions

    A well-meaning, but misguided push from the top down

    While the program launches with ambitious goals, they are a mix of theoretical ideas and somewhat theoretical targets that miss the mark of the on-the-ground reality.

    More theoretical aspects of the program (e.g. AI driven development) will land years down the road. DARPA’s best known achievements show a very long time to market (when they pan out- not all do), even if some end up being revolutionary… and ARPA-H is very much built in DARPA’s mold (and is less mature to boot). In the meantime, healthcare facilities and services will still be in the crosshairs.

    Even the more grounded solutions miss simpler approaches expanding on existing tools or adapting techniques in use in other industries to address needs like zero-downtime. Given ARPA-H’s leadership skews to researchers and scientists as opposed to “on the ground” practitioners, this isn’t entirely surprising – akin to the difference between a theoretical physicist and an engineer of the appropriate discipline. Both brilliant, but with very different perspectives.

    What could be more effective? What should ARPA-H encourage?

    • Standardization is king: Imagine diverse medical devices using common operating systems and protocols, built on security standards similar to software in other regulated industries. This would offer increased visibility, consistency of patching, and more controllable attack surface.
    • Apply zero-downtime principles from SaaS to Medical devices: Encourage new technologies that allow for easier patching with minimal downtime. Solve for how to apply SaaS best practices for hot swapping, trivial rollback, etc. to medical devices and provide incentives for hospital to adopt the new tech.
    • Shift the blame game: Put a focus on device manufacturers and service providers to be secure by default – targeting the hospitals is the wrong strategy, and while parts of proposed White House hospital security standards are good, vendors and service providers should be an equal or larger target for liability.

    Conclusion

    As Ronald Reagan once said, “The nine most terrifying words in the English language are: ‘I’m from the government, and I’m here to help.’”

    While ARPA-H’s intentions with the UPGRADE program are good, the implementation targets feel designed by well-meaning, extremely intelligent people missing the right blend of on-the-ground experience in the space. Without addressing real-world problems with more grounded solutions, UPGRADE is unlikely to deliver meaningful change on any practical time horizon.

    Sean Reilly
    , , ,

    Leave a comment