UPGRADE and DigiSeals Programs at ARPA-H Remain Fully Funded
In a significant development for healthcare cybersecurity, the Advanced Research Projects Agency for Health (ARPA-H) confirmed that its UPGRADE and DigiSeals programs will continue to receive full funding despite proposed cuts to the agency’s overall budget by the Trump administration. This announcement is crucial as the health sector increasingly relies on digital technologies and connected medical devices, making robust security measures indispensable.
The UPGRADE initiative specifically focuses on creating autonomous patching platforms for medical devices within hospitals. This project aims to streamline the process through which healthcare facilities can address and rectify vulnerabilities in their systems, significantly reducing the delay in implementing necessary updates. With modern healthcare increasingly reliant on interconnected systems, the importance of effective patch management cannot be overstated.
According to recent budget documents submitted to Congress, ARPA-H’s funding is projected to decrease by $555 million; however, UPGRADE will remain a priority. Currently funded at $1.5 billion for the fiscal year ending on September 30, 2026, the agency has adjusted its financial outlook for UPGRADE from an initial estimate of $50 million to $43 million. This adjustment reflects a more tailored allocation based on the specific needs and capabilities of the project’s performers, as noted by a federal official who preferred to remain anonymous.
The automation of cyber defenses is a critical objective of the UPGRADE program. Its proponents emphasize the need for hospitals of varying sizes to patch vulnerabilities quickly, ideally resolving issues in a matter of days rather than months, all while ensuring that patient care remains uninterrupted. The complexities of modern medical environments present formidable challenges; many hospitals house hundreds or even thousands of diverse medical devices, some of which may be decades old.
Moreover, the timing for applying such patches is rarely ideal. Hospital security teams are often stretched thin, making it difficult to address vulnerabilities in high-stakes environments without compromising patient care. Each new update or modification risks unintended consequences, particularly in terms of device interoperability and functionality.
The UPGRADE program has earmarked funding for ten organizations, which include both academic institutions and commercial entities. Notable among the recipients is Northeastern University’s Archimedes Center for Healthcare and Device Security, which received a substantial grant of $19 million. This funding will be directed toward developing digital twins of hospital infrastructure, which will serve as virtual representations to help better understand the operational implications of deploying new technologies and patches.
Prof. Kevin Fu, the director of the Archimedes Center, expressed optimism about the potential benefits of UPGRADE for healthcare systems and medical device manufacturers. He indicated that these advancements would provide valuable insights, especially for organizations deploying new technologies or installing patches. The center’s initiative, dubbed PATCH—an acronym recursively representing “Patch of Asclepius: Technology for Cybersecure Healthcare”—aims to enhance cybersecurity in healthcare environments.
Other awardees contributing to UPGRADE’s mission include the Georgia Institute of Technology, which has been allocated $4.3 million to develop platforms that emulate medical devices and automatically identify and repair vulnerabilities. Similarly, Vanderbilt University received $4.3 million aimed at creating a “vulnerability mitigation platform” alongside a digital twin emulator, reinforcing the program’s commitment to addressing cybersecurity challenges.
Furthermore, ARPA-H’s DigiSeals program will also remain unaffected by the budget cuts. Launched in 2023, DigiSeals focuses on providing $50 million in funding to various awardees, including universities and tech companies exploring innovative solutions that employ technologies such as artificial intelligence and advanced cybersecurity techniques.
One notable project under the DigiSeals initiative is "Crashcart," a mobile platform designed by the University of California San Diego to swiftly restore essential connectivity and support critical clinical functions following ransomware attacks. Demonstrating its effectiveness, a prototype of the Crashcart system was able to revive a 20-bed emergency department in a mere 34 minutes following a ransomware breach, accomplishing this with a team of just six trained personnel. Scalable trials of the Crashcart system are planned for 2026, showcasing its potential impact on hospital resilience amidst increasing cyber threats.
The unwavering support for both the UPGRADE and DigiSeals programs highlights the ongoing commitment to bolstering healthcare cybersecurity, paving the way for safer and more effective medical environments in the face of rapidly evolving cyber threats. As these programs advance, they promise to not only enhance the security of medical devices but also ensure the continuous delivery of high-quality patient care.