How the DIGIHEALS Project Is Tackling Cybersecurity Technology Gaps

November 08, 2023 - Despite increased attention from lawmakers and a renewed focus on healthcare cybersecurity awareness, the healthcare sector remains a top target favored by threat actors around the world. In fact, more than 88 million individuals have been impacted by large breaches reported to HHS in 2023 so far, signifying a 60 percent increase from 2022.

An influx of cybersecurity vendors have stepped up to offer technological solutions to these ongoing cyber challenges. But wide technology gaps remain, HHS suggested in August 2023, when it announced the formation of the Digital Health Security (DIGIHEALS) project.

Spearheaded by the Advanced Research Projects for Health (ARPA-H), a funding agency within HHS, the DIGIHEALS project aims to advance the development of new technologies that help ensure that patients continue to receive care amid a widespread cyberattack on a medical facility.

ARPA-H has already awarded $50 million in funding to various institutions to launch research into subjects such as automatic patching and vulnerability detection technologies.

HealthITSecurity spoke with Andrew Carney, ARPA-H program manager, to discuss the overarching goals of the project and its current research initiatives.

What is the DIGIHEALS Project?

“DIGIHEALS is about ensuring that patients continue to receive care in the wake of a cyberattack on a medical facility,” Carney explained. “We also have the opportunity, with the same technology, to improve the quality of care patients receive by reducing the overall pressure on our healthcare system or the regional resources in a specific geographic area.”

The project was motivated by the idea that many security solutions in the healthcare space are adapted from wider commercial offerings and may not take into account the specific requirements of healthcare cybersecurity, Carney reasoned.

Healthcare is unique in that many organizations rely on legacy systems and medical devices that can have a lifespan spanning ten-plus years. What’s more, hospitals must manage thousands of internet-connected devices simultaneously and keep track of newly reported vulnerabilities and patches across all those devices.

All these challenges are compounded by the fact that patient safety is on the line amid any operational disruption.

“If there's a power outage, most people can go 12 hours without power. We can do a couple of days with a boil water alert or something like that. But if you are in the hospital on a ventilator, that's where your situation is much more sensitive to disruptions,” Carney stated.

“And more generally, our capacity to provide care, as a nation, is not so over-provisioned that we can really afford any of our facilities going down for any meaningful amount of time. So that healthcare facility uptime is a precious resource and we're looking to maximize that in the face of this growing and unfortunate threat.”

With this in mind, ARPA-H set its sights on funding research to improve the resilience and cybersecurity of US healthcare systems. The funding agency specifically seeks out projects “with the potential to advance areas of medicine and health that cannot readily be accomplished through traditional research or commercial activity,” its website states.

Healthcare cybersecurity, with all its unique considerations, seemed to fit the ARPA-H mission.

“It's not reasonable to expect a regional hospital, or even a large urban hospital to compete with nation-state level cyber threat actors,” Carney suggested. “Our tools today don't really fill that gap.”

Research initiatives under the DIGIHEALS project are already underway, facilitating the development of an automated medical device patching program, a healthcare ransomware resiliency and response program, and a project aimed at improving the interoperability of EHR systems.

Project Highlight: Software Bill of Behaviors

Another new project focuses on software bill of materials (SBOM) shortcomings. Under the DIGIHEALS program, ARPA-H awarded up to $3 million to Karambit.AI to fund research into a software bill of behaviors, signifying a potential departure from SBOMs.

SBOMs, which are essentially the software equivalent of a food ingredient list, have long been championed by security professionals for encouraging transparency and supply chain security. However, SBOM implementation is not without its challenges.

“In terms of this sort of zero-sum game of security resources and time, I think we have a long way to go for SBOM currently to really get to a place where we can use it in a very sort of surgical and context-sensitive fashion,” Carney noted.

“The software bill of behaviors approach uses static analysis to actually look at what the code does and characterizes different behaviors such as when this piece of software opens up this specific port and listens on it, or this piece of code puts user data into a weak sandbox and it executes it.”

Rather than requiring organizations to sift through SBOMs, a software bill of behaviors would enable them to identify specific vulnerabilities and how applicable they are to the organization based on the deployment of specific code.

“If you have enough patches from a given piece of software and you can identify the severity of the changes to the code, and if you additionally have some lightweight dynamic analysis based on how your machines or how your facility is using that software, you can with relatively high confidence, determine whether or not a change is likely to impact your workflows,” Carney explained.

Eventually, the team envisions some layer of automation in this process that would help security professionals determine how much a patch would impact operations and further enable thoughtful patching in hospital settings.

Looking Ahead

Over time, Carney’s team aims to leverage the DIGIHEALS project to further promote innovation in the healthcare cybersecurity space, closing technological gaps and addressing sector-wide vulnerabilities along the way.

“I think that as a market for security products, healthcare is underserved by industry today,” Carney suggested. “If up-and-coming technology firms in the security space are looking for some sort of startup play, mid-size and small hospitals are maybe not where they're looking for a payday. And I'm not saying that that should be the primary driver of innovation or success in this space, but I think we do see less attention given to these problems.”

In late September, ARPA-H announced up to millions in funding for six contract awards through the DIGIHEALS project, including the aforementioned software bill of behaviors project. The contract awardees range from technology companies to universities, all of which are working on unique initiatives to enable innovation.

For example, up to $16 million went toward developing Automated Medical device Patching (AMdP2), which will provide device manufacturers and cybersecurity firms with an automated firmware vulnerability detection and remediation capability.

Another project, spearheaded by University of California San Diego researchers, seeks to create clinician-focused tools for improving capacity and quality of care amid a cyberattack.

“One of the important things that we are doing both with this project and as an agency is really ensuring that the program managers spend time in the trenches with the clinicians and administrators that they are trying to help,” Carney added.

“Beyond just any individual effort or the program, building that bridge and creating that new research and development pathway is something I'm very excited about.”