Hospitals and large healthcare organizations have increasingly become prime targets for cybercriminals. In response, the Department of Health and Human Services (HHS) has established a new initiative within the National Institutes of Health (NIH) aimed at enhancing cybersecurity measures for hospitals.

This initiative, called “Universal Patching and Remediation for Autonomous Defense” (UPGRADE), was launched on May 20. UPGRADE’s mission is to develop a tailored and scalable suite of software tools that will enable hospital IT teams to effectively combat ransomware attacks and reduce the time needed to patch vulnerable healthcare products from months to just days or weeks.

The UPGRADE website highlights the program’s goal to unite equipment manufacturers, cybersecurity experts, and hospital IT staff to create a robust software suite designed to bolster hospital cyber-resilience. This announcement comes at a critical time in 2024, as the healthcare sector faces numerous ransomware attacks disrupting access to medical records and lifesaving devices. These cyberattacks not only threaten patient safety but also compromise patient privacy by exposing Protected Health Information (PHI) and other sensitive data. Healthcare organizations failing to safeguard patient records could incur significant penalties under HIPAA’s Privacy and Security Rules.

An upcoming solicitation from NIH will seek performer teams to submit proposals on four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses. NIH has released a draft module announcement seeking public feedback and expects to post the final module announcement for UPGRADE in June 2024.

This comes after Deputy National Security Advisor Anne Neuberger said the administration was looking into the establishment of minimum cybersecurity standards for entities receiving Medicare and Medicaid funding, as reported by Bloomberg earlier this month. However, the timeline for implementing these requirements remains unclear.

Additionally, in Congress, Sen. Mark Warner (D-VA) has proposed legislation that would prohibit payment of advance payments or accelerated payments to providers that do not meet minimum cybersecurity standards as established by HHS. The accelerated and advance payment programs are a key tool that allows providers whose payment systems are impacted by a cybersecurity attack to still receive payment from Medicare for services provided.

Reed Smith will continue to follow developments related to cybersecurity in health care. If you have any questions about the UPGRADE program or any other cybersecurity developments, please do not hesitate to reach out to the health care lawyers at Reed Smith.