Software aims to better protect hospitals against cybersecurity attacks

Hospitals rely heavily on technology for everything from day-to-day operations to using life-saving medical devices. This reliance puts hospitals at risk of cybersecurity attacks, which could expose patient data or make critical medical technologies unusable. Given the serious consequences for patient care and data privacy, hospitals must work quickly to find and eliminate cybersecurity threats when they arise.

Despite the importance of maintaining secure software, there are unique challenges that prevent hospitals from addressing cybersecurity issues efficiently. Older machines may not be compatible with new software which can delay updates. Since many systems and machines provide essential care around the clock, it can be challenging to find a time to patch in updates that keep systems secure.

Lin Family Assistant Professor Dan Votipka is part of a team led by researchers at the Georgia Institute of Technology who are working to improve this issue. The group recently received a contract from the ARPA-H UPGRADE program to support their work. They plan to build a tool that allows hospitals to quickly fix vulnerabilities in their systems. The group is partnering with three different Georgia-based healthcare facilities to design and test this technology, known as the Hospital-Integrated Vulnerability Identification and Proactive Remediation (H-VIPER).

The team will take a layered approach to finding and addressing vulnerabilities. The first step is a Whole Hospital Simulation (WHS), which allows security experts to test and deploy remediations while ensuring patient care continuity. Second, equipment emulators will build on this capability to make vulnerability detection more efficient. H-VIPER will combine these two approaches to detect vulnerabilities across hospital networks, software, and devices.

Votipka lends his expertise in human factors for security professionals to the project. In particular, he will conduct user studies to investigate ways for healthcare workers and security experts to work together effectively on security patches. Using insights gathered from these studies, he will collaborate on a novel formal verification framework that will automate vulnerability detection. In the final stage of the project, he will develop an end-to-end verification system that will ensure automated results are relevant and worthy of human review. Ultimately, H-VIPER aims to make it easier for security professionals to review potential threats and enact appropriate safety measures within days instead of months.

Other researchers on the project include principal investigator Associate Professor Brendan Saltaformaggio of the Georgia Institute of Technology, and team members from Georgia Tech Research Institute, Iowa State University, San Diego nonprofit Narf Industries, and three Georgia hospitals: Children’s Healthcare of Atlanta, Hamilton Health Care System, and Emory Healthcare.

Learn more about ARPA-H.