Advanced Research Projects Agency for Health (ARPA-H) is a U.S. federal agency operating independently under the aegis of the National Institutes for Health whose mission is to “accelerate better health outcomes for everyone by supporting the development of high-impact solutions to society’s most challenging health problems.” On May 20, ARPA-H announced a new initiative called Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) aimed at developing technologies for improving cybersecurity for healthcare organizations.
A Worthwhile Goal
UPGRADE comes with $50 million in new funding to support collaborative research and development ARPA-H says is needed to create “an autonomous cyber-threat solution that enables proactive, scalable, and synchronized security updates. Importantly, this software platform will enable simulated evaluations of potential vulnerabilities’ impact and adapt to any hospital environment across a wide array of common devices. The program aims to reduce the uncertainty and manual effort necessary to secure hospitals, guaranteeing that vulnerable equipment is fixed and allowing staff to focus on patient care.”
That is a worthwhile goal.
Clearly there is a critical need to stem the tide of cyberattacks on the healthcare industry, and while I am glad to see that the federal government has taken notice, I can’t help but wonder if leadership at ARPA-H have taken a look at the cybersecurity market to see what innovative solutions exist that already do what it hopes to accomplish. If so, they might have noticed that there are already billions of dollars in private investment capital pouring into the market to address this very issue, and many “high-impact solutions” are already available to help address the cyberthreats that hamper the industry’s ability to focus on patient care.
In fact, a part of the hypothetical software platform ARPA-H describes sounds a lot like the platform Ordr’s customers have been using for years. The Ordr platform reduces their cyber risk, prevents and mitigates the effects of cyberattacks, automates responses in the face of threats, maximizes operational resilience for hospitals, and allows them to maintain effective operations without the need to resort to radical “code dark” exercises.
Ideals vs. the Realities
From my perspective as a former healthcare CTO/CIO, and confirmed by the numerous conversations I’ve had (and continue to have) with my peers in the industry, the challenge isn’t primarily one of a lack of tools capable of addressing the threats the industry faces; it is in having the resources (time, money, and people) necessary to invest in and implement those tools. And this problem is most acute in the mid-market, rural, and disadvantaged communities where finances are focused on keeping the lights on. Cybersecurity may be near the top of priorities, but even placing second on that list means making do with a meager budget and keeping your fingers crossed.
Perhaps when ARPA-H assembles its body of experts it will conclude that there’s no real value in initiating a process that our great community of cybersecurity vendors is already driving toward, and focus their efforts (and $50M) on an area where improvement is possible and solutions are lacking. I choose to be optimistic in this regard because it is encouraging to see the problem acknowledged, and federal dollars allocated to try and do something about it.
New Innovation, Not Recreations
Rather than try to recreate existing technology, ARPA-H might want to look at what Health and Human Services is doing with their Healthcare Sector Cybersecurity strategy and think about how to complement that initiative. There is an opportunity to apply new innovations in pursuit of HHS’ four Healthcare Sector Cybersecurity goals, namely:
- Establish voluntary cybersecurity performance goals for the healthcare sector
- Provide resources to incentivize and implement these cybersecurity practices
- Implement an HHS-wide strategy to support greater enforcement and accountability
- Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
And by working with industry experts to estimate budget, then enlisting Congress to allocate significant financial resources, funding (far more than $50 million) can be made available to those hospitals serving mid-market, rural, and disadvantaged communities in the form of grants, loans, and incentive programs specifically for the purpose of funding investments in the people, processes, and technologies needed to defend against cyberthreats. Such a program should be easy to access and apply for (heaven knows they don’t need more burdensome paperwork thrust upon them), while structured to ensure that the monies provided are spent in direct support of effective cybersecurity investments and programs.
No More Unfunded Mandates
It is frustrating for those responsible for securing the most at-risk hospitals to read about more mandates and best practices proclaimed from afar when they are fighting for every dollar they can get to simply keep their IT running. No one in healthcare IT and security is ignorant of the threats they face, and they all want to do the best they can for their organization and the patients they serve. There are good security tools available to them; what they need is the means to access them and put them to use.
For more information about Ordr and how we protect healthcare organizations, contact us to see our platform in action.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud