The US government’s Advanced Research Projects Agency for Health (ARPA-H) has committed over $50 million to developing technology aimed at automating the security of hospital IT environments.
The initiative, named Universal PatchinG and Remediation for Autonomous DEfence, or UPGRADE, will bring together equipment manufacturers, cybersecurity experts, and hospital IT staff to create a customized and scalable software suite for enhancing hospital cyber-resilience.
The program’s goal is to secure entire systems and networks of medical equipment, ensuring mitigation measures can be deployed on a large scale.
UPGRADE will concentrate on four key technical areas:
- Creating a platform for vulnerability mitigation
- Developing high-fidelity digital twins of hospital equipment
- Establishing methods to swiftly and automatically detect software vulnerabilities
- Creating defences for identified vulnerabilities
This week, the agency invited teams to apply for funding, totalling tens of millions of dollars, to develop and implement UPGRADE.
Stephen Gates, Principal Security SME, Horizon3.ai had this comment:
“In the context of rapidly and automatically detecting software vulnerabilities, the UPGRADE program tends to miss the point of exploitable vulnerabilities – and other weaknesses. Addressing exploitability appears to be the missing link here.
“Software vulnerabilities are nothing new and vulnerable software discoveries will never cease to challenge organizations’ rapid patching efforts. Simply put, all software has hidden vulnerabilities but not all vulnerabilities are exploitable.
“What medical organizations (and any other organization) need today is a proven methodology of uncovering blind spots in their security postures that go beyond known and patchable vulnerabilities, such as easily compromised credentials, exposed data, misconfigurations, poor security controls, and weak policies. These issues are the catalysts that most often enable successful cyber-attacks.
“Today, autonomous cyber risk assessment technologies are readily available to continuously test any organizations’ infrastructure to safely expose where they are at risk of exploitation by threat actors. Without this visibility, organizations will continue to remain at least one step behind attackers with no end in sight.
“The challenge is that the majority of organizations have zero visibility into what is exploitable in their environments and what is not. They continue to be reactive to every vulnerability announcement, instead of being proactive by finding what threat actors can actually exploit. Throwing every defensive measure at the problem will not solve a condition of exploitability either, as it often just hides it. Once exploitability is proactively addressed, measurable security improvement will be the result.”
I’ve been saying for a long time that the health care sector is low hanging fruit for threat actors. Hopefully initiatives like this one will tip the scales in favour of the good guys as the status quo of health care organizations getting pwned is not sustainable.
Related
This entry was posted on May 23, 2024 at 8:00 am and is filed under Commentary with tags ARPA-H. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ARPA-H Offers $50M Challenge To “UPGRADE” Hospital Cyber Defences
The US government’s Advanced Research Projects Agency for Health (ARPA-H) has committed over $50 million to developing technology aimed at automating the security of hospital IT environments.
The initiative, named Universal PatchinG and Remediation for Autonomous DEfence, or UPGRADE, will bring together equipment manufacturers, cybersecurity experts, and hospital IT staff to create a customized and scalable software suite for enhancing hospital cyber-resilience.
The program’s goal is to secure entire systems and networks of medical equipment, ensuring mitigation measures can be deployed on a large scale.
UPGRADE will concentrate on four key technical areas:
This week, the agency invited teams to apply for funding, totalling tens of millions of dollars, to develop and implement UPGRADE.
Stephen Gates, Principal Security SME, Horizon3.ai had this comment:
“In the context of rapidly and automatically detecting software vulnerabilities, the UPGRADE program tends to miss the point of exploitable vulnerabilities – and other weaknesses. Addressing exploitability appears to be the missing link here.
“Software vulnerabilities are nothing new and vulnerable software discoveries will never cease to challenge organizations’ rapid patching efforts. Simply put, all software has hidden vulnerabilities but not all vulnerabilities are exploitable.
“What medical organizations (and any other organization) need today is a proven methodology of uncovering blind spots in their security postures that go beyond known and patchable vulnerabilities, such as easily compromised credentials, exposed data, misconfigurations, poor security controls, and weak policies. These issues are the catalysts that most often enable successful cyber-attacks.
“Today, autonomous cyber risk assessment technologies are readily available to continuously test any organizations’ infrastructure to safely expose where they are at risk of exploitation by threat actors. Without this visibility, organizations will continue to remain at least one step behind attackers with no end in sight.
“The challenge is that the majority of organizations have zero visibility into what is exploitable in their environments and what is not. They continue to be reactive to every vulnerability announcement, instead of being proactive by finding what threat actors can actually exploit. Throwing every defensive measure at the problem will not solve a condition of exploitability either, as it often just hides it. Once exploitability is proactively addressed, measurable security improvement will be the result.”
I’ve been saying for a long time that the health care sector is low hanging fruit for threat actors. Hopefully initiatives like this one will tip the scales in favour of the good guys as the status quo of health care organizations getting pwned is not sustainable.
Share this:
Like this:
Related
This entry was posted on May 23, 2024 at 8:00 am and is filed under Commentary with tags ARPA-H. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.