U.S. Health Agency Seeks to Shield Private Hospitals from Deluge of Cyberattacks

The US government is seeking to play a more active role in protecting the private health-care sector from a deluge of cyberattacks that have disrupted patient care and left providers unpaid.

US health officials will unveil Monday a new program to create tools that defend internet-connected hospital equipment from cyberattacks that could take them offline or leave them incapacitated. The effort could shore up protections for imaging devices used to detect cancer or assist with surgeries, EKGs that monitor heartbeats and systems that allow doctors to prescribe drugs to patients.

A Department of Health and Human Services agency will deploy more than $50 million to organizations that create tools to ensure these devices are kept safe and functional. The agency, known as ARPA-H, is soliciting proposals that can help hospitals spot weaknesses in their software and then automatically deploy custom fixes within days of an attack.

Related: UnitedHealth Hack Put Data of One in Three Americans at Risk

HHS Deputy Secretary Andrea Palm, who leads the department’s cybersecurity work, said that recent attacks on the largest US health insurer and a major hospital system are “proof points of the need for the sector to really step up its game.” The federal government, she told Bloomberg in an interview, has a unique responsibility to help it get there.

In February, a UnitedHealth Group Inc. subsidiary faced a cyberattack that paralyzed much of the US health-care system. It’s likely to be the largest breach the sector has ever faced, disrupting billions in payments to doctors and hospitals, and potentially exposing the personal data of one-in-three Americans. It was followed by another major attack this month at Ascension, one of the country’s largest health systems. The Catholic-affiliated hospital network had to divert ambulances, suspend elective surgeries and reschedule appointments as it worked to get systems up and running again.

While the attacks on UnitedHealth and Ascension have served as high-profile examples of the damage caused by cyber criminals, the US health-care sector is increasingly under duress. Over the past five years, there’s been a 256% increase in large breaches reported to HHS involving hacking and a 264% increase in ransomware. “It’s Ascension today, it’ll be somebody else tomorrow, or next week, or the week after that,” Palm said.

The project to improve hospitals’ cyber defenses will be led by Advanced Research Projects Agency for Health, or ARPA-H, an agency modeled after an innovative Defense Department unit that was key in developing the GPS and the internet. ARPA-H, which is designed to quickly expedite the development of biomedical breakthroughs, began focusing on health-care security vulnerabilities last summer. The new $50-million-plus project marks its largest cyber investment to date.

The project, known as UPGRADE, or Universal PatchinG and Remediation for Autonomous DEfense, is expected to dole out multiple awards.

Palm said that the stakes for addressing cyberattacks are higher in health care than many industries, demanding the US take on “a different kind of role” in supporting the market.

“US health care is a private-market system—we have levers in our regulatory tools, but that only goes so far,” Palm said. “It’s finally coming to the fore as a priority because of the increase in attacks that we’ve seen.”

The Biden administration is also seeking to put in place requirements for minimum cybersecurity standards for entities that receive money from Medicare and Medicaid, Bloomberg reported earlier this month. The time table for publishing those requirements isn’t yet known.

Top photo: Doctors monitor an electrocardiogram recording of a patient’s cardiac cycle produced by an electrocardiograph. Diagnosing the patients and their family members won’t only improve their chances for a long and healthy life, it will identify the most robust market for the new drugs.