Rural healthcare providers across the United States face an increasing cybersecurity crisis as they struggle with limited funding, shortages in cybersecurity and IT expertise, and unending threats from savvy and better-funded adversaries. With a significant source of revenue from Medicare reimbursements, these healthcare delivery organizations, operating on tenuous margins, find themselves at a particularly precarious disadvantage as they defend themselves against cyber criminals.
"Rural hospitals operate on such thin margins that cybersecurity controls are often the last thing they're thinking about," Mike Hamilton, field CISO at Lumifi Cyber said. "When you're worried about keeping the doors open, investing in security infrastructure becomes a secondary concern," Hamilton said. The margins also make it tough for these providers to find and keep cybersecurity talent. This talent gap leaves many facilities with outdated security practices and vulnerable systems.
Healthcare providers have been severely impacted in recent years, with the Change Healthcare ransomware attack being the most devastating. The Ascension Health ransomware attack followed that breach in May 2024, when the Black Basta ransomware group compromised systems across all 142 Ascension hospitals, affecting 5.6 million patients and crippling critical operations. The sector's vulnerability was further exposed in December 2024 when PIH Health suffered a ransomware attack that allegedly compromised 17 million patient records across three hospitals.
"Rural hospitals operate on such thin margins that cybersecurity controls are often the last thing they're thinking about."
—Mike Hamilton, Limifi Cyber
These attacks have contributed to a total of more than 725 healthcare breaches, affecting over 500 records per breach in 2024, which represents 275 million breached records, according to the HHS Office for Civil Rights. The industry's cybersecurity crisis shows no signs of abating, with an average of two healthcare data breaches of 500 or more records reported daily throughout 2024. When Ascension's systems were compromised, emergency rooms were placed on divert status, ambulances were redirected to non-Ascension facilities, and staff were forced to implement manual processes that introduced delays and potential errors in critical care decisions.
Small, rural, and other tightly funded healthcare providers are particularly vulnerable to breaches, a recent report from the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) found.
Last month, HSCC CWG (a broad coalition of healthcare providers, pharmaceutical and medical technology companies, payers, health IT entities, and government agencies), crafted a paper On the Edge: Cybersecurity Health of America's Resource-Constrained Health Providers. The HSCC CWG conducted a series of in-depth interviews with nearly 40 senior executives from resource-constrained healthcare organizations across 26 states.
The report highlights the acute cybersecurity challenges faced by resource-constrained healthcare providers, including rural hospitals, critical access hospitals, federally qualified health centers, long-term care facilities, and small physician practices. It provides actionable recommendations for governments and industries to address these vulnerabilities. The report's authors hope that policymakers, government agencies, and the broader healthcare community will recognize the unique risks faced by these providers and take specific, immediate actions to support them better.
The report outlines a set of sweeping recommendations grouped into five strategic categories:
The report urges the federal government to classify major cyber and ransomware attacks as "all hazards" incidents, which would trigger the coordinated deployment of federal response resources. It recommends expanding participation in Health-Information Sharing and Analysis Centers (Health-ISACs), particularly by providing financial support for smaller providers to join these networks. Additionally, the report calls for the continuation and expansion of CISA's support programs—including Cyber Hygiene and specialized cyber exercises—tailored specifically for healthcare organizations.
To address chronic underfunding, the report advocates for Centers for Medicare & Medicaid Services (CMS) reimbursement incentives tied to the adoption of recognized cybersecurity frameworks such as the Health Industry Cybersecurity Practices (HICP) and the NIST Cybersecurity Framework. It also recommends that third-party technology and service vendors be held to enforceable cybersecurity standards. Funding for workforce augmentation should be expanded through federal and state programs, with subsidies for managed security service providers (MSSPs), academic partnerships, and support from the National Guard. The USDA's Rural Loan Program should be maintained and expanded to help finance cybersecurity investments. Ongoing, needs-based grants and subsidies—not just one-time payments—should be made available, including the flexibility to use funds for hiring staff.
The report proposes waiving specific reporting requirements for cyberattack victims during the early stages of incident response, allowing organizations to focus on containment and recovery. It calls for federal-sponsored incident response support for organizations that have been breached. It recommends that military, state, or National Guard cyber and medical personnel, along with necessary equipment, be made available for incident response and recovery efforts.
To address the acute shortage of qualified cybersecurity professionals in healthcare, the report recommends establishing a comprehensive workforce development and training program with the support of the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the Veterans Administration. It also suggests funding federal and state-subsidized "civilian cyber health corps" programs, which would include loan forgiveness and alternative career pathways that do not require a four-year degree. Existing workforce development initiatives, such as those under the HITECH Act, should be augmented to meet current needs.
One of the biggest challenges is finding people with the skills within rural areas. "People do not want to get into the cyber business and go work for peanuts at a rural hospital. That's a tough sell," Hamilton explains.
Hamilton sees internships and collaborative approaches as potential ways to bridge the cybersecurity workforce gap in rural healthcare. This includes utilizing interns from cybersecurity degree programs to provide technical support, allowing them to gain hands-on experience, as well as partnering with non-profit organizations to offer security monitoring and training opportunities.
Finally, the report recommends the establishment of a comprehensive database of federal subsidies and grants for cybersecurity services, tools, and education. It suggests that allowable expenses under the FCC Health Connect Fund be expanded to include cybersecurity tools, services, and surge workforce capacity. Clear and actionable guidance should be provided to help healthcare organizations comply with new cybersecurity regulations.
To help small providers leverage economies of scale and maintain operational continuity during crises, the HSCC advocates for participation in non-profit health IT collaboratives. The council also calls for the creation of an easily accessible library of best practices for healthcare cybersecurity management and recommends allowing small providers to access General Services Administration (GSA) schedule pricing for cybersecurity tools and services, enabling them to obtain necessary resources at reduced costs.
Such initiatives are already underway. While working as CISO for the City of Seattle, Hamilton, of Lumifi Cyber, recognized that the security posture of smaller, neighboring jurisdictions could directly impact larger cities due to interconnected infrastructure. Motivated by the need to improve regional cyber resilience and workforce development, Hamilton began developing PISCES (Public Infrastructure Security Cyber Education System) as an extension of the Public Regional Information Security Event Management system, with initial funding from the Department of Homeland Security and support from Pacific Northwest National Laboratory.
Today, PISCES provides no-cost cybersecurity monitoring to under-resourced local governments while simultaneously training the next generation of cybersecurity professionals. Hamilton stressed that similar services in healthcare would help many under-resourced providers as finding qualified practitioners is one of the biggest challenges for rural hospitals, as people are reluctant to work for low wages in these settings. Hamilton sees internships and collaborative approaches as potential ways to bridge the cybersecurity workforce gap in rural healthcare.
Michael Farnum, field CISO at Trace3, agrees that creating non-profit collectives could prove a significant help, such as those dedicated to information sharing. "If you form a non-profit that takes contributions from across the industry and use that to pool the funds to help start funding healthcare security initiatives, you can tackle a lot of the challenges," Farnum explained.
Farnum sees the scale that non-profit managed security services providers can offer to the healthcare industry through their ability to provide centralized monitoring services across large service areas. "Geography doesn't matter anymore," noted Farnum. "You can provide monitoring and alerting for organizations almost anywhere, and this remote monitoring capability means rural facilities can access sophisticated security services regardless of their location," he added.
Recent legislative efforts also aim to address some of these challenges. A House bill, functionally identical to Senate Bill 4697 introduced in July 2024, seeks to redirect the Cybersecurity and Infrastructure Security Agency (CISA) to assist rural healthcare providers. "They're going to facilitate threat intelligence sharing," Hamilton explained. The legislation also includes provisions for training owners and operators of healthcare facilities, Hamilton said.
States are also stepping up. California has established a statewide Security Operations Center (SOC) to monitor critical organizations, including rural healthcare providers. This provides them with visibility across the state, enabling them to detect reconnaissance activities and warn facilities of impending threats.
As threats continue to evolve, rural healthcare providers must find sustainable ways to improve their security posture. This will likely require a combination of approaches: pooled resources through collectives, managed security services, government assistance, and a focus on fundamental security practices. With patient safety and data protection at stake, the security of rural healthcare providers remains a critical concern that requires immediate and sustained attention from industry, government, and the cybersecurity community.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
