Participation in rural hospital cybersecurity program grows

Approximately 550 rural hospitals have signed up to participate in Microsoft's rural hospital cybersecurity program as of February 2025, the company stated in a report that also included preliminary data on cybersecurity performance at U.S. rural hospitals.

Microsoft launched its rural hospital cybersecurity program in June 2024 amid rising cyber threats and a push by the Biden administration to bolster cybersecurity in the healthcare sector. Microsoft's contribution to tackling this growing threat includes free security assessments for rural hospitals, curated cyber awareness training resources and discounted Microsoft security products.

In its latest report, Microsoft stated that response to the program has "exceeded projections," with approximately one-third of U.S. rural hospitals taking part in the program.

More than 375 hospitals are participating in cybersecurity assessments funded by Microsoft, and 1,000 individuals took part in the company's cybersecurity training offerings for rural hospitals.

While program adoption continues to grow, preliminary data from 250 completed assessments revealed troubling trends in rural hospital cybersecurity readiness and resilience.

Microsoft, alongside FSi Strategies and MorganFranklin Cyber, analyzed the assessment results and found that rural hospitals have faced challenges with implementing basic security controls like multifactor authentication and network segmentation.

What’s more, just 29% of the assessed rural hospitals adequately separated end-user and privileged accounts.

"Often rural hospitals with lean IT teams lack experience in developing and managing such policies and the capacity to do rigorous ongoing monitoring," the report explained.

The results also showed that most rural hospitals lacked a robust cybersecurity training program, despite the prevalence of social engineering in the healthcare sector.

Microsoft acknowledged that there are several factors that are contributing to the significant security gaps it observed through its assessments -- most of which can be at least partially tied to a lack of money and resources.

The company cited a 2024 report by Chartis Group that showed that 50% of U.S. rural hospitals are operating in the red. Financial viability for rural hospitals is precarious due to unique factors like lower patient volumes and low repayment rates by insurers.

In addition to financial struggles, ongoing cybersecurity workforce shortages continue to strain rural hospitals, which are already dealing with a smaller talent pool due to their location.

Independent rural healthcare organizations struggling with shrinking budgets and workforces are forced to make the most of the limited resources they do have. Help from policymakers and big tech companies could help ease this burden, Microsoft suggested.

"Addressing the current state of rural health requires a multifaceted approach, with meaningful engagement and support from public and private sectors," Microsoft stated.

"Tackling acute and accelerating cybersecurity risks faced by 'target rich, resource poor' rural hospitals requires near-term action and resource mobilization, coupled with a broader focus on hospital resiliency, supported through innovation and partnerships."

Microsoft estimated that each independent rural hospital with approximately 50 beds and 200 end users would need an investment of approximately $30,000 to $40,000 to address the top cybersecurity risks impacting their organizations. Addressing the top vulnerabilities among the roughly 1,000 independent rural hospitals would cost an estimated $40-45 million altogether.

"A one-time remediation of the most critical cybersecurity risks to rural hospitals is critically important to help hospitals stay as safe as possible in the near term," Microsoft stated.

However, the company also acknowledged that a one-time stopgap measure would not be sufficient on its own. Tackling rural hospital cybersecurity challenges must be a shared responsibility.

"There is a compelling need for the healthcare industry, policymakers and funders, and technology companies to bolster resourcing and innovation across rural areas," the report stated.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.