With healthcare increasingly in attackers’ crosshairs, a US federal agency wants to spend more than $50 million to create a fully automated open-source threat detection tool for healthcare businesses, along with the ability to predict what an attacker is planning to do, according to an RFP published Friday.
The proposal is from the 2-year-old Advanced Research Projects Agency for Health (ARPA-H), a unit within the National Institutes of Health, itself a unit of the Department of Health and Human Services.
The idea of the funding “is to automate development and refinement of vulnerability remediation capabilities for known (n-day) and newly detected (0-day) vulnerabilities. Potential remedies may include but are not limited to vendor-provided remediations, application/equipment configuration changes, network architecture changes, network traffic modification, and input filtering.”
The goal is allow for “detection-to-remediation within 5 days or faster, representing a significant reduction in the defensive capability development and deployment timeline,” according to the proposal.
The proposed tools “are likely to involve research that touches on multiple layers of the OSI model from low level radio frequency (RF) based protocols for transmission of data from implantable devices (potentially OSI layers 1-5), to secure and fault tolerant networking protocols for medical devices (potentially OSI layers 3-6) to the exchange of health information including Electronic Health Records, lab results and medical images related to a patient between healthcare facilities and health data brokers including but not limited to Health Information Exchanges (HIE) and Trusted Exchange Framework and Common Agreement (TEFCA) Qualified Health Information Networks using protocols such as HL7 FHIR (OSI Layer 7). This diversity requires careful consideration of the most appropriate standards to be used for the specific technologies in development and the layer at which they operate.”
The proposal wants submitters to go beyond detecting and analyzing healthcare attacks to trying to predict what the attackers will try next. The wording went beyond typical cybersecurity tactics to something that one industry expert said more closely resembles mind-reading.
Proposals should try to “capture and leverage the thought patterns of expert hackers as they analyze code for vulnerabilities. Using passive, non-invasive biometric sensing, and an instrumented research environment, [proposals] will map experts’ cognitive states to specific elements — e.g., functions, variables — with minimal disruption to their normal workflow. This process will capture expert intuition about relationships between elements and their vulnerability detection strategies in a comprehensive, machine-readable format. [Proposals] will develop tools to execute these human expert strategies at machine speed and scale, enabling [it] to deploy remediations to discover vulnerabilities faster than adversaries can exploit them [using] automated vulnerability detection tools and models of expert hacker workflows, focused on hospital equipment.”
The RFP also sought projections that appear to be leveraging generative AI, although instead of predicting the next word, it will try and predict the next one or two actions. The technology “will study the behavior and workflows of expert hackers as they search for vulnerabilities and will create predictive models based on these observations. This may involve a combination of active and passive instrumentation including but not limited to gaze tracking, electroencephalography (EEG), system monitoring, and interviews. Proposals should describe the approach for studying expert hacker behavior and workflows. [It] will limit expert hackers under observation to analysis of artifacts that can be reasonably acquired — e.g., application binaries, firmware images — or are publicly available, such as open-source code.”
Larry Trotter, CEO of Inherent Security, which specializes in healthcare security issues, said the government proposal showed that the agency “wants to take steps in the right direction” but he said he was puzzled about the overall proposal because it seems to be trying to create tools that already exist.
“They are trying to create an automated vulnerability detection tool and there are plenty of tools today that already do this in the marketplace,” Trotter said. “They are spending money in the wrong place.”
Trotter also questioned how they phrased the portion dealing with predictive behaviors. “Using the phrase ‘thought-patterns’ in this context, it sounds like they are trying to read their minds. It is a poor choice of words,” he said.
The name of the ARPA-H program is UPGRADE, a rather tortured acronym standing for “the Universal PatchinG and Remediation for Autonomous DEfense program.”
The proposal also wants applicants to “stand up Whole-Hospital-Simulations (WHS) that will faithfully re-create representations of the uniquely complex cyber-environments found in hospitals by incorporating physical and digital infrastructure into a mock hospital environment to enable rapid design and testing in a safe, non-operational setting” and will “focus on replicating the broader hospital cyber-environment, incorporating commercially available virtualization technologies for traditional devices — e.g., laptops, servers, mobile devices — with physical connected hospital equipment, thus mimicking a hospital’s real-world configuration.”
Also sought were applications that “will develop tools to automate and accelerate the rate at which newly encountered equipment may be emulated. Proposals should break down the steps involved — e.g., reverse engineering, rehosting, validation — and clearly identify how the proposed approach impacts each one. Proposals should also seek to fully automate the emulator development process” and “will leverage models of common sub-components (e.g., FPGAs, ASICs, microcontrollers) across different equipment, instead of recreating each emulator from the ground up.”