A team of researchers at the Georgia Institute of Technology’s School of Cybersecurity and Privacy has received a contract worth up to $12 million from the Advanced Research Projects Agency for Health (ARPA-H) to develop a new cybersecurity platform aimed at protecting hospitals from cyber threats.
The initiative, called Hospital-Integrated Vulnerability Identification and Proactive Remediation (H-VIPER), will begin work next month. The goal is to create an advanced system known as Whole-Hospital Simulation (WHS), which maps hospital networks and allows IT teams to test their cyber defenses before implementation. The system is designed to identify vulnerabilities such as missed software updates and alert hospital IT departments, addressing risks associated with the increasing number of connected medical devices.
“This is a new area of security research,” said Associate Professor Brendan Saltaformaggio. “We not only have to worry about the cybersecurity aspect, but the physical security as well. Our research must be very accurate to make sure patients are safe from cyberthreats.”
Hospitals face challenges due to the large number of networked devices, including those used in patient care. Saltaformaggio noted that both large institutions like Children’s Healthcare of Atlanta and smaller hospitals have potential entry points for attackers.
The research team has already interviewed IT staff at Children’s Healthcare of Atlanta and Hamilton Health Care System to understand how best to scale the WHS system according to different hospital needs.
“Hospitals IT processes are notoriously sensitive to disruption, because essentially any kind of down time for rebooting a system or lack of availability can create chaos in the clinical environment,” said Stoddard Manikin, chief information security officer for Children’s Healthcare of Atlanta.
“Our goal is to create very smooth processes and workflow for our patient facing staff and providers to deliver the best care possible. This research opportunity gives us a chance to develop news ways where we can look at these sensitive medical devices and things on the IT network in a healthcare environment and potentially remediate vulnerabilities without taking them out of service.”
Saltaformaggio emphasized that current hospital cybersecurity practices tend to be reactive rather than proactive. The H-VIPER project aims to address vulnerabilities across all levels of hospital technology by bringing together expertise from various disciplines within Georgia Tech.
Faculty from multiple units—including the College of Computing, College of Engineering, School of Electrical and Computer Engineering, School of Computer Science, and Georgia Tech Research Institute—will participate in this effort alongside Ph.D. students and postdoctoral researchers. About 30 Georgia Tech researchers will collaborate with partners such as Emory University, Children’s Healthcare of Atlanta, Hamilton Health Care System, Tufts University, Iowa State University, and Narf Industries.
