Getty Images/iStockphoto

How Rural Hospitals Can Tackle Healthcare Cybersecurity Risks

Rural hospitals are up against the same healthcare cybersecurity risks as larger organizations but may have limited resources to combat them.

Ransomware, phishing, and breaches are all top-of-mind concerns for healthcare cybersecurity leaders, regardless of organization size or location. But for small, rural hospitals, managing cyber risk can be an even more intimidating task.

From limited financial resources to competition for cyber talent, rural hospitals face unique challenges when it comes to managing cybersecurity. However, while rural hospitals may not have the luxury of investing in the latest and greatest security solutions, there are a variety of free resources and security-minded strategies that organizations can implement to bolster their cybersecurity architectures.

Cyber Challenges For Rural Hospitals

Rural hospital closures and consolidations are becoming more common, as exemplified in a 2021 Government Accountability Office (GAO) report. GAO found that between 2012 and 2018, the median travel distance to a hospital increased by about 20 miles in areas where a rural hospital had closed.

GAO also observed that even prior to COVID-19, many rural hospitals were in financial distress in the years leading up to their closure.

Rural hospital closures can have multiple negative impacts on surrounding communities. Individuals have to travel further for care, and an influx of new patients may also put a financial and operational strain on still-functioning hospitals.

From a cyber perspective, if the hospitals that are still standing suffer a cyberattack that leads to downtime and ambulance diversions, patients must travel even further to get to the nearest hospital, heightening patient safety risks.

In addition, the combination of limited budgets and sparsely populated areas does not necessarily attract new cyber talent regularly. The ongoing cybersecurity shortage is impacting large and small organizations alike, forcing existing security professionals to stretch themselves thin.

“In terms of the resource shortage for security practitioners, it’s dire,” Michael Hamilton, co-founder and CISO of Critical Insight told HealthITSecurity. With over 30 years of experience in the security space, Hamilton has worked firsthand with organizations of all sizes to manage security risks.

Financial strain and a shortage of security practitioners make cybersecurity difficult to manage. On top of those concerns, data breaches and cyberattacks are still impacting the sector on a daily basis, making robust security programs even more essential.

Working Smarter, Not Harder

“It’s not so much about tools, but how you approach the problem,” Hamilton explained.

Even if a rural hospital had secured the funds necessary to invest in a variety of security tools, it would not necessarily strengthen its security posture. The key is to use the right tools for your specific organization and to supplement technological solutions with operational strategies and employee education.

Hamilton suggested that rural hospitals focus on securing initial access points, keeping an eye on logs, addressing third-party risk, and maintaining awareness of internet-facing technology. Creating and maintaining personal device policies can also help reduce risk.

In addition, security leaders should communicate cyber risks to the C-suite effectively by translating cyber jargon and abstract threats into tangible business risks.

When it comes to retaining cyber talent, “one of the solution sets has to be developing talent internally,” Hamilton suggested.

Giving security and IT staff the opportunity to grow and learn in their roles will, ideally, allow them to contribute more to implementing strong security strategies. Hamilton also acknowledged that it can be difficult for rural hospitals to compete with big tech companies for highly-skilled cyber talent, but it is still worth investing in existing talent.

Hamilton also recommended that rural hospitals keep an eye on the latest alerts released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other intelligence communities.

For example, the Health Sector Cybersecurity Coordination Center (HC3) recently warned the healthcare sector of a new monkeypox-themed phishing scheme targeting providers. Threat actors are using the public health threat to lure users into clicking malicious links. Using that knowledge, healthcare security experts can warn their communities and prepare mitigation tactics accordingly.

It is impossible to eliminate cyber risk within any organization. But even with limited resources, rural hospitals can effectively reduce risk.

Free Resources to Bolster Healthcare Cybersecurity

“There are resources that rural hospitals can tap at no cost, and those are probably the solutions that they should be taking into consideration right now,” Hamilton reasoned.

In addition to the threat briefs and alerts from the FBI and CISA that Hamilton mentioned, the Office of the National Coordinator for Health Information Technology (ONC) has numerous resources geared toward different organization types.

The Office for Civil Rights (OCR) and ONC recently released version 3.3 of the HHS Security Risk Assessment (SRA) Tool. ONC and OCR developed the SRA Tool to help HIPAA-covered entities navigate risk assessment requirements under the HIPAA Security Rule. The tool is a software application that organizations can download at no cost.

ONC also offers guidance on keeping mobile devices secure, compliance information, and contingency planning.

The National Rural Health Resource Center developed a cybersecurity toolkit aimed at rural hospitals and clinics, which is full of more tools and insights.

The toolkit presented rural hospitals with a cyclical, four-part process for managing cybersecurity that involves awareness, assessment, remediation and implementation, and education.

To raise awareness of cyber risk within a rural hospital, the Center suggested that rural hospitals send email reminders to employees and even hang up cybersecurity posters for employees to see. In addition, the toolkit provided a list of awareness documents and tools, including the US Computer Emergency Readiness Team (US-CERT) website and ONC’s Health IT Playbook.

In the assessment phase, the Center recommended that rural hospitals perform risk assessments and further utilize ONC’s playbook, which contains educational risk assessment videos.

“The assessment phase presents several opportunities for improvement. Risks and threats that were identified in the assessments will need to be remediated, and new processes or technologies will likely need to be implemented to protect health information,” the toolkit explained.

“Common risks, such as notifying IT of employee terminations, have common solutions. Reaching out to other organizations for example policies and processes on risk mitigation can help your facility learn from other’s experiences. Networks, trade organizations, web resources, and peer hospitals and clinics will likely have sample policies or procedures that can help.”

The National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) can provide a useful framework for managing risk, and the Health Information Sharing and Analysis Center (Health-ISAC) regularly provides security guidance.

While not an exhaustive list, these tools and free guidance documents from reputable sources can help rural hospitals assess and manage risk.

Managing cyber risk as a rural hospital requires organizations to take a risk-based security approach, focus on retaining cyber talent, and take advantage of free resources to bolster their security strategies.

Next Steps

Dig Deeper on Cybersecurity strategies