Siemens Healthineers has entered into a project agreement with the Advanced Research Projects Agency for Health (ARPA-H) to undertake research focused on enhancing the cyber resilience of medical devices.
ARPA-H's Universal Patching and Remediation for Autonomous Defense program aims to create new tools to help hospitals’ information technology teams better detect and remediate cyber threats. Siemens Healthineers will serve as the principal research institution for the Secure Healthcare Infrastructure Enhancement and Defense project under the UPGRADE program, with activities based at its AI Factory in Princeton, New Jersey. Under the agreement, Siemens Healthineers and its research partners, Siemens Corporation, Axonius and Kraetonics, will execute this collaborative project with a budget of $6.9 million for Phase I. The goal is to develop an autonomous cyber-threat solution that enables proactive security updates, reducing the uncertainty and manual effort necessary to secure hospitals.
The SHIELD project deploys an exa-scale simulation – consisting of more than one quintillion operations per second – to identify optimal solutions for cyber resilience within medical technology products, placing particular emphasis on applications that affect continuity of care. SHIELD plans to develop a solution that addresses the difficult balance between cybersecurity, patient care, and revenue within hospital environments. When cybersecurity vulnerabilities are detected or ransomware incidents occur, hospitals may need to suspend operation of major imaging equipment until remediation. Since 2016, cyberattacks have cost the healthcare industry over $77 billion, with over $15 billion in 2023 alone. The increasingly prevalent attacks have led to delays in treatment, cancellation of procedures, and reliance on paper records, and emergency rooms are often forced to divert ambulances.
Hospital cyberattacks are typically carried out through pervasive vulnerabilities in IT systems. As a result, 53% of all hospital equipment currently contain critical vulnerabilities, and 96% of hospitals have equipment with these vulnerabilities. The average time to apply critical security updates to hospital equipment is currently 491 days – more than one year – leaving critical vulnerabilities open to exploitation. In many cases, hospital cybersecurity teams are under-resourced and thus unable to perform all the updates available to them, and clinical staff further delay updates due to fears about updates impacting clinical workflows.
SHIELD will run detailed simulations to determine the most important systems and vulnerabilities to patch or remediate and find the best timing for those activities. The focus will be on the device and equipment interactions occurring within hospitals, with a special emphasis on patient visits to specialty areas such as imaging and lab. Large-scale medical record data will allow for detailed simulations of patient and clinical staff interactions to accurately portray the effects of device and equipment disruption on both the patients and staff. This solution will also offer alternative staffing, equipment, and department options as well as patient scheduling recommendations that will best maintain patient care.
The SHIELD team is partnering with hospital systems that are representative of the range of medical facilities in the country, from state-of-the-art to under-resourced rural community hospitals. Through its longstanding Value Partnerships with healthcare providers, Siemens Healthineers brings a uniquely grounded perspective to the SHIELD project. These deep, collaborative relationships provide insight into real-world clinical workflows, operational constraints, and cybersecurity challenges, ensuring that the research is informed by the realities hospitals face every day and will be designed to deliver practical, community-relevant impact.
ARPA-H is a biomedical funding agency within the U.S. Department of Health and Human Services that supports accelerated high-impact research to deliver health breakthroughs in years, not decades.
