The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to health care systems, hospitals and clinics, and health-related devices.
For more than a decade, health care providers in the United States and around the world have been plagued by criminal cyberattacks, particularly ransomware attacks, that take advantage of medical facilities’ high-stakes work to attempt to extort big payouts. Efforts in recent years to crack down on and deter cybercriminal actors have made some limited progress, but health care attacks still occur regularly, disrupting vital services and endangering patients.
Health and Human Service’s research agency Arpa-H doesn’t specifically focus on cybersecurity innovation. The agency has programs running, for example, to spur advances in osteoarthritis treatment and medical imaging for cancer removal. But Digiheals program manager and longtime security researcher Andrew Carney says there is a dire need to make progress on digital defense tools for health care that are both effective and usable for medical facilities in practice.
“We’re looking for rapid and stupendous progress,” Carney told WIRED ahead of the announcement. “We want to ensure that the impact we have is significant but also equitably distributed. It doesn’t matter if we develop a perfect cure that makes a network completely impenetrable if a rural hospital can’t adopt it because of light IT staff or minimal or no security budget.”
Digiheals is seeking broad and diverse submissions related to vulnerability detection, software hardening, and system patching, as well as the expansion or development of security protocols. The initiative will accept submissions from anyone, including academic and nonprofit researchers or commercial industry. Carney emphasizes that, ultimately, the goal is to foster novel and inventive solutions regardless of where they come from or what category they fit into.
“We are looking to very rapidly cast a wide net,” he says. “I’d encourage folks even if they have ideas that don’t fit cleanly or won’t fit the timeline of the solicitation to come talk to us. We will make the process fit the ideas we receive as best we can.”
Carney points out that it is particularly difficult to study the real-world conditions of cybersecurity in health care, because each medical provider’s network is made up of a vast patchwork of systems, services, and devices that vary widely. And there is no margin for error in probing individual institutions’ systems or attempting to attack them intentionally to discover weaknesses. So Digiheals is also encouraging researchers to make submissions related to the types of security tools that are not working in health care settings and the reasons for these failings.