Getty Images/iStockphoto

Exploring today's top rural healthcare cybersecurity challenges

Financial troubles and an ongoing cyber workforce shortage are some of the factors contributing to persisting rural healthcare cybersecurity challenges.

Rural healthcare cybersecurity remains a challenge for the healthcare sector despite the increased availability of free and low-cost resources, strong public-private partnerships, and promising bill proposals.

Despite the sector's best efforts, factors like budget woes, implementation barriers and workforce shortages prevent some rural healthcare entities from leveling up their cybersecurity programs.

What's more, a cyberattack on a rural hospital can have an outsize effect on patients in the event of system downtime or ambulance diversions -- the next closest hospital in a rural region might be many miles away, compared to just blocks away in urban areas.

Healthcare cybersecurity leaders are making significant progress in improving the sector's cybersecurity posture and advocating for additional resources for rural healthcare organizations. However, it is important to understand the ongoing cyber challenges that these entities still face daily, as well as some of the efforts the industry is making to tackle these problems today.

Financial constraints hinder rural healthcare providers

Many rural healthcare organizations are dealing with limited budgets and a swath of competing priorities, cybersecurity being one of them.

"In terms of challenges that rural facilities have, I don't think the budget piece is getting any better," said Kate Pierce, executive director of government affairs at Fortified Health Security.

Pierce, a former CIO and CISO at a rural hospital in Vermont, pointed to challenges with navigating Medicare Advantage plans as well as the continued fallout from the Change Healthcare cyberattack as a few sources of the financial strain on rural hospitals.

A February 2024 analysis from Chartis, a healthcare advisory firm, found that half of rural hospitals are operating in the red. The study also identified 418 rural hospitals that were vulnerable to closure.

As rural healthcare providers continue to face revenue downturns, leaders must tackle the challenge of spreading resources across several key areas of the business. While cybersecurity remains a top priority, many organizations do not have the financial resources necessary to make significant security improvements in a timely and efficient manner.

Free resources come at a cost

In June 2024, the White House, acknowledging the ongoing financial and operational challenges that rural healthcare facilities face, announced that Microsoft and Google would offer free and discounted cybersecurity resources to rural hospitals.

Microsoft extended its nonprofit program to provide grants and a 75% discount on security products optimized for smaller organizations, as well as free cybersecurity assessments and training for frontline staff at eligible rural hospitals. Organizations that already use eligible Microsoft solutions are able to receive its most advanced security suite at no additional cost for one year, Microsoft said.

Google offered endpoint security advice to rural hospitals at no cost, as well as discounted pricing for communication and collaboration tools, and funding to support software migration.

By September 2024, 350 of the approximately 1,800 independent rural hospitals in the U.S. had taken advantage of those resources, said Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, during a session at the Billington CyberSecurity Summit. Neuberger said her office would like to see that number rise in the coming months.

To David Finn, executive vice president of governance, risk and compliance at First Health Advisory, these tools are a good idea, but they come with implementation and installation challenges that could prevent widespread adoption.

"It is a wonderful idea. But I don't think they're going to find it that useful, and a lot of that won't really be viable because they're going to drop it into a place that doesn't have those technical engineers or network engineers, or they don't even have very sophisticated network technologies that these kinds of tools are designed for," Finn said in an interview with TechTarget Editorial.

"So, to say it's free is wonderful, but there are other costs that are well beyond the software. And then in year two, assuming you can find the people locally to do it, you're going to now have the additional software costs."

You think about those facilities, specifically the ones that remained independent; they are independent because they don't want somebody telling them how to address the needs of their community.
Kate PierceExecutive director of government affairs, Fortified Health Security

Still, Pierce noted the positive significance of the hundreds of rural hospitals that have already signed up for the program. For eligible independent hospitals, these resources can help them enhance their security programs in ways they might not have been able to prior to these resources being made available.

However, there are several reasons why other rural hospitals might not take advantage of this opportunity. For example, a hospital that does not already use Microsoft products might not find it worthwhile to uproot existing systems and deal with additional vendor contracts.

"You think about those facilities, specifically the ones that remained independent; they are independent because they don't want somebody telling them how to address the needs of their community," Pierce said.

"It is tough to remain independent," Pierce added. "In doing that, they need to be a good steward of the limited resources they have, and these resources may not be a good fit for them."

In June 2024, the White House and Google also agreed to work on a pilot program that would consist of a package of security capabilities that fit the unique needs of rural providers. The results of that program could help big tech companies further tailor their offerings to rural healthcare entities in the future.

Workforce shortages exacerbate existing challenges

Even with the proper tools, implementation requires organizations to have IT and cybersecurity professionals available to do the work. However, a preview of the 2024 edition of ISC2's annual Cybersecurity Workforce Study found that the workforce gap is widening rather than shrinking.

The study preview noted that the current workforce gap sits at 4.8 million globally, up 19% year-over-year. What's more, 39% of survey respondents said that a lack of budget was the top reason for cyber shortages, rather than a lack of talent. According to this research, upward of 10 million workforce members are needed globally to satisfy demand.

Considering this data, rural healthcare entities already facing financial challenges might struggle to obtain the workforce resources they need to improve cybersecurity.

"There's a competitive environment for who gets to employ those resources, and small and rural hospitals probably are not the top choice for some of these skilled workers," Pierce suggested.

The widening cybersecurity workforce gap paired with the uptick in healthcare cyberattacks continues to contribute to an organization's inability to reduce risk, regardless of the size and location of the facility.

Minimum standards on the horizon

There are actions that rural healthcare entities can take to improve their security posture today, even as factors outside their control continue to create challenges.

For example, in January 2024, HHS released cybersecurity performance goals (CPGs) aimed at helping the sector prioritize key security risk areas. At the time, HHS made it clear that the CPGs would serve as the basis of mandated cybersecurity standards in the healthcare sector.

"Until we get some common standards in place, we really can't start going faster with enhancing security across the sector," Finn said.

The CPGs consist of "essential" and "enhanced" goals that can be applied to organizations of all sizes. In the initial release, HHS said it would work with Congress to obtain additional funding to help under-resourced hospitals cover the costs of implementing these practices.

"The CPGs are still voluntary, but they provide a great starting point and some guidance on where to start with your cybersecurity programs and things that are essential to the base of your program versus the things that are considered enhanced," Pierce stated.

In September 2024, lawmakers took steps to solidify these standards by introducing the Health Infrastructure Security and Accountability Act. If passed, the bill would require HHS to develop standards to bolster security across healthcare. It would also allocate $800 million in upfront investment payments to rural and urban safety-net hospitals and an additional $500 million to all hospitals to adopt the enhanced cybersecurity standards.

Pierce and Finn separately noted that while progress has been made in advancing rural healthcare cybersecurity, there is still room to grow.

"One of the things that's disappointing is most of the things that have been done have only been targeted at the rural hospitals. And there's a whole ecosystem of other healthcare providers in those rural communities that need just as much if not more help than those rural hospitals," Pierce said.

"You've got long-term care facilities, you've got behavioral health, you've got dentists, and there's just such an ecosystem of healthcare providers that might be further behind in their cyber efforts than the hospitals are," Pierce added. "So, until we can bring everyone up to the same level, there's always going to be a gap there."

As lawmakers and healthcare leaders continue to make progress in this area, barriers to achieving higher cybersecurity standards as a sector are persisting.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Next Steps

Understanding new NY hospital cybersecurity regulations

Dig Deeper on Cybersecurity strategies