Georgia Tech builds network sandbox to test hospital cyber defenses

Why vulnerability management remains a challenge in healthcare

Healthcare organizations are notorious for having complex, interconnected networks, legacy devices and limited resources, all in an environment where patient care trumps all else.

Stoddard Manikin, chief information security officer at Children's and an H-VIPER project collaborator, emphasized the unique circumstances that set healthcare apart from other industries when it comes to cybersecurity.

"The healthcare industry has been targeted for many years by cybercriminals. We are especially vulnerable because we have 24/7 operations. We have patients who are ill and rely on key systems being available at all times," Manikin said.

"Healthcare in particular has a wide variety of IT systems from multiple different vendors on different operating systems and platforms. It makes it very complicated to keep those systems up and running, keep them integrated and on our networks, but also to manage the vulnerability lifecycle of all the variety of systems."

Depending on the flaw and patch complexity, vulnerability remediation can temporarily put a system offline. However, a neglected software update can free up entry points for cybercriminals. As such, managing a complex, interconnected system requires careful consideration of risk.

"From a research perspective, this is a really hard domain to do cybersecurity research in, because in a lab environment, I can't recreate that diversity of devices and attacks and data and network connections," Saltaformaggio said.

With these challenges in mind, the H-VIPER researchers set out to craft a system that enables IT teams to test their cyber capabilities in a controlled environment before deploying potentially disruptive updates and patches in real hospital settings.

Testing cyber defenses in a sandbox before deploying

Any large healthcare system will likely have a solid network inventory, which is a great first step in managing a complex network of devices, Saltaformaggio said.

"But what our research aims to do is to build what we call a whole-hospital simulation," he noted. "So, it's kind of like a sandbox where you can play around with the hospital's network without actually interfering with the clinical operations."

The system maps out a hospital's network, giving researchers visibility into how the network would respond to a cyberattack or other adverse cyber event.

"We can do things like build new patches and new remediations for vulnerabilities, and then we can test those remediations in the simulation to be sure that when we push those remediations out into the real network, it won't interfere with any of the patient care or the availability of, say, an MRI machine or other medical devices," Saltaformaggio said.

The system will also be able to identify threats and alert the IT department, enabling better vulnerability detection.

"This research is going to help us uncover new and novel ways to do vulnerability management in a complex real-world healthcare environment. Partnering with Georgia Tech lets us leverage their expertise with information systems and security with our very practical real-world knowledge of medical devices, the healthcare environment and network configuration, so that we're doing practical research that can actually have an impact and improve the industry," Manikin added.

The goal, Manikin stressed, is to get healthcare cybersecurity to a place where hospitals are proactive rather than reactive in managing cyber risk.

ARPA-H's investment signals a turning point for healthcare cybersecurity

ARPA-H launched the UPGRADE program in 2024, investing $50 million to develop autonomous security tools for hospital environments. The program aims to bring hospital IT staff and cybersecurity experts together to build a "scalable software suite for hospital cyber resilience," ARPA-H said.

Saltaformaggio emphasized ARPA-H's positive impact on highlighting the importance of healthcare cybersecurity research, but noted that more investment is needed to catch up in this field.

"It's great that ARPA-H is getting this out there. It's great that this is becoming a priority for the government. It requires investment in fundamental research to develop new theories that allow us to protect hospitals," he said.

"We don't even have a basic understanding of how to do that right now. We sort of let hospitals purchase the same industry standard tools that you might purchase at any big corporation, and those simply do not apply in the healthcare space."

Saltaformaggio is hopeful that initiatives like the UPGRADE program will enable innovations in healthcare cybersecurity.

Other UPGRADE program research projects include ARMOR-H, a Vanderbilt University-led effort to build a vulnerability mitigation platform with a digital twin system of medical devices, and SHIELD, a project by Siemens Healthineers that seeks to develop an autonomous healthcare defense facility specifically for under-resourced facilities.

"It demonstrates the prioritization on behalf of our federal government to recognize that we are a critical sector of the country, that we are a vulnerable sector, that we need help as a healthcare community because if we can't handle patient volume and treating people and so forth, then parts of the social fabric break down," Manikin said of ARPA-H's investment.

"Each of us trying to independently create our own cyber police force is inefficient. So, we have to look for ways where we can multiply our advantages. And I think some of the force multipliers out there are things like this research, where we can come up with effective, realistic ways to do vulnerability management more efficiently."

Jill Hughes has covered health tech news since 2021.