New HHS funding program announced to develop groundbreaking hospital cybersecurity software
Hospitals may soon benefit from a new tool being developed through recently allocated government funding to prevent cybersecurity incidents. On May 20, 2024, the Advanced Research Projects Agency for Health (ARPA-H), a funding agency overseen by the U.S. Department of Health and Human Services (HHS) for biomedical research, announced the new program, Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE), has been selected to develop a groundbreaking cybersecurity software suite for hospitals.
Specifically, ARPHA-H forecasts that the new software will have the ability to swiftly detect and address cybersecurity vulnerabilities, resulting in “an autonomous cyber-threat solution that enables proactive, scalable, and synchronized security updates.” Additionally, ARPHA-H projects that the platform will “enable simulated evaluations of potential vulnerabilities’ impact and adapt to any hospital environment across a wide array of common devices.” UPGRADE will invest more than $50 million into this new project, which will be developed with insight from healthcare industry stakeholders and cybersecurity experts.
In announcing the new UPGRADE program, ARPHA-H recognized several burdens commonly faced by hospitals in the realm of cybersecurity incident prevention, including the voluminous number of internet-connected devices in hospitals and industry-specific hurdles for testing and patching based on the sensitivity of downtime in a healthcare environment.
The launch of the UPGRADE program coincides with a recently published report from HHS on the state of healthcare cybersecurity noting a significant uptick in reported breaches. Specifically, according to data from HHS’ Office for Civil Rights (OCR), there has been a “93% increase in large breaches reported from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported to OCR involving ransomware from 2018 to 2022.”
In light of the increase in reported breaches, HIPAA Covered Entities continue to face regulatory scrutiny, and incidents involving 500 or more individuals result in automatic audits from the OCR. Additionally, hospital ransomware incidents can set the stage for the OCR to probe a variety of areas of compliance with the HIPAA Privacy, Security, and Breach Notification Rules to determine: (1) how the hospital could have prevented the attack; (2) what the hospital did to mitigate the effects of the incident; and (3) what the hospital will do moving forward to prevent a similar incident from occurring again in the future.
While the development of cybersecurity tools, such as those offered to hospitals through the UPGRADE program will come with substantial benefits, hospitals should also anticipate further probing from the OCR with respect to efforts made by the hospitals to implement and maintain technical safeguards to prevent incidents from occurring.
The McDonald Hopkins McDonald Hopkins' data privacy and cybersecurity attorneys prepare our clients for, and can counsel them through, investigations by state and federal agencies, including those launched by OCR the wake of cybersecurity incidents.