Attack Surface Management
,
Healthcare
,
Incident & Breach Response
UPGRADE and DigiSeals Programs at ARPA-H Remain Fully Funded
A U.S. federal grant effort to develop autonomous medical device patching platforms for hospitals evaded the budget-cutting knife of the Trump administration in its annual funding request sent to Congress.
See Also: Reduce Cloud Risk in Healthcare with Security by Default
The Universal Patching and Remediation for Autonomous Defense program, or UPGRADE, will stay on track in a budget request that would cut $555 million from the Advanced Research Project Agency for Health, the project’s home agency. ARPA-H is a component of the Department of Health and Human Services. It received $1.5 billion in the current federal fiscal year, which expires Sept. 30.
When UPGRADE was first launched in 2024, ARPA-H estimated funding could reach $50 million, but adjusted the amount to $43 million “based on the support appropriate for the selected performers’ projects,” a federal official who requested not to be identified told ISMG.
Program boosters hope to automate cyber defenses so that hospitals of any size can more quickly patch vulnerabilities and mitigate related issues identified in software and devices “in days instead of months” while and keeping patient care delivery operating safely.
Patching vulnerabilities in any healthcare environment is a serious challenge. A hospital or clinic may have hundreds, if not thousands of different types and models of medical devices in their environments – many that are decades old. There’s also rarely a convenient or perfectly safe time for resourced-stretched security teams to apply patches or other remedies to life sustaining equipment without potentially affecting patient care.
Any new patch or modification on one device could additionally have unintended consequences for interoperability, function, access.
Program dollars are going to 10 awardee organizations – including universities and commercial firms. Among them is the Northeastern University’s Archimedes Center for Healthcare and Device Security, which in late 2025 received a $19 million grant that it will use to investigate building digital twins of hospital infrastructure.
“This is really going to help not only the industry and the vendor community of medical device manufacturing, but also healthcare delivery organizations to better understand what to expect as they deploy new technology … or put in a new patch to their clinical systems,” said Prof. Kevin Fu, Archimedes director. The center calls its UPGRADE-funded program PATCH, an acronym recursively meant to stand for “Patch of Asclepius: Technology for Cybersecure Healthcare (see: Implantable Brain Devices Top Cyber Privacy Concerns).
Other awardees include Georgia Institute of Technology, which received $4.3 million to develop a platform for emulating medical devices and a platform for automatically finding and fixing vulnerabilities. Vanderbilt University received $4.3 million for creating a “vulnerability mitigation platform” and a digital twin emulator.
Also set to continue without any funding interruptions is ARPA-A’s Digiseals program, launched in 2023. It provides $50 million in funding to six awardees, including universities and companies from across the United States that are working on technologies ranging from “artificial intelligence to cybersecurity and cutting-edge analysis.”
One of the Digiseals projects, “Crashcart” – led by the University of California San Diego, is a mobile platform “designed to rapidly restore essential connectivity and support critical clinical functions when ransomware compromises hospital systems,” ARPA-H said.
A prototype of the Crashcart rapid response system helped to bring a 20-bed emergency department back online in only 34 minutes from a ransomware attack using a team of only about a half-dozen trained personnel, ARPA-H told Congress. Scalable demonstrations of CrashCart are anticipated for 2026, the agency added.