HHS pledges $50M for autonomous vulnerability management solution for hospitals
As organizations in the healthcare sector continue to be a prime target for ransomware gangs and CISA warns about a vulnerability (CVE-2023-43208) in a healthcare-specific platform being leveraged by attackers, the Advanced Research Projects Agency for Health (ARPA-H) has announced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program aimed at developing a vulnerability management platform for healthcare IT teams.
CVE-2023-43208 exploited by ransomware threat actors
CVE-2023-43208, an easily exploitable unauthenticated remote code execution vulnerability affecting NextGen HealthCare’s Mirth Connect data integration platform, has been patched by the company and publicly disclosed by Horizon3.ai researchers in October 2023.
CISA added it to its Known Exploited Vulnerabilities catalog on Monday, even though Microsoft Threat Intelligence found it being exploited by ransomware threat actors back in April.
That means that many months after the release of the patch, vulnerable internet-facing Mirth Connect instances were still available for attackers to exploit and use for initial access to healthcare organizations’ networks.
The UPGRADE program looks for healthcare vulnerability management solution
“While proactive vendors patch consumer products with software weaknesses in days or weeks, health care technology can take over a year to patch at scale,” ARPA-H says.
“Deploying security updates in hospitals is difficult because of the sheer number of internet-connected devices, limitations in health care IT resources, and low tolerance for device downtime needed to test and patch. Despite the size of the cybersecurity industry, health care sector challenges remain under addressed, even as more pieces of equipment are network-connected than ever before.”
The goal of the UPGRADE program is to create a security platform that will adapt to any hospital environment, proactively and autonomously simulate/evaluate the risk and potential impact of vulnerabilities, procure or develop a patch, test it in a model environment, and deploy it in a way that’s minimally disruptive to medical, IT, and other devices in use at healthcare delivery organizations.
“UPGRADE expects to bring together equipment manufacturers, cybersecurity experts, and hospital IT staff to develop a tailored and scalable software suite for hospital cyber-resilience,” says Andrew Carney, ARPA-H’s program manager for resilient systems.
“The program has four technical areas. Technical area 1 focuses on the creation of a vulnerability mitigation platform. Technical area 2 aims to create high-fidelity digital twins of equipment in hospital environments. Technical areas 3 and 4 seek to develop methods to rapidly and automatically detect software vulnerabilities and then confidently develop defenses for each.”
Investment in the program is expected to surpass $50 million. Applicants can propose solutions until June 18, 2024.