Rural hospitals and cybersecurity: Free resources being underutilized

If I had a nickel for every time my colleagues and I have posted in this space about the healthcare industry’s elevated cybersecurity risks, I might have a dollar or so. See for yourself. 

And yet, as demonstrated by a recent report about low utilization of security resources for rural hospitals, healthcare organizations continue—with plenty of exceptions, of course—to have less-than-adequate cybersecurity infrastructures. It’s almost enough to make a blogger wonder whether his posts have the reach, impact, and influence that he likes to imagine they do.

Some good news

There was some good news at the beginning of the year. As reported here, the Identity Theft Resource Center (ITRC) issued its Q1 2024 Data Breach Analysis, and one of its findings was that—for the first time in many years—the healthcare industry did not experience the highest number of breaches. It came in second, behind the financial services industry. 

That’s good news, and it indicates that the industry as a whole has been focusing more than in the past on cybersecurity investments. And in an effort to continue this positive trend, the US Department of Health and Human Services (HHS) launched a new initiative last spring. 

As we reported here, in response to the devastating and disrupting cyberattack that took down United Health’s Change Healthcare system, the government created a one-stop-shop online portal for healthcare cybersecurity resources. 

Given the unique complexity of healthcare IT environments and attack surfaces, this centralized source of authoritative information and solutions is incredibly valuable for organizations to confidently formulate and execute plans to modernize cybersecurity. 

Rural hospitals at risk

Within the healthcare industry, the most vulnerable sector is rural hospitals and clinics. The core reason for this is that their revenue is insufficient to cover their costs. According to a report issued this summer, more than one-third of all rural hospitals and clinics in the US are at risk of closing. 

For organizations teetering on the edge of insolvency, a successful cyberattack can easily be the final straw that pushes them over the edge—they just can’t afford the costs associated with a ransomware attack. And that same lack of resources means that they are unable to invest in modern cybersecurity without help.

Fortunately, help is available. This past June, the White House launched an initiative to pull together a variety of vendors to offer free or low-cost cybersecurity tools, services, and solutions. Google and Microsoft signed on as core providers, offering free services to help rural hospitals implement best cybersecurity practices despite limited IT resources.

Less fortunately, however, an update in September revealed that at that time, less than one-quarter of rural hospitals and clinics had taken advantage of those resources. 

Why? We can only speculate. Perhaps the program has not been communicated effectively to its intended audience. Perhaps rural hospitals are so resource-constrained that they feel like they just don’t have the time even to take advantage of no-cost cybersecurity help. Or maybe, despite all the evidence, their IT staff just don’t quite believe that cyber threats represent a potentially existential risk to their organizations. 

Whatever the underlying reason, it’s absolutely critical for rural—and indeed all—healthcare organizations to make a serious and sustained commitment to modernizing and upgrading their security. Threat actors know that these organizations are vulnerable—and that they have large stores of sensitive data that they can sell for a premium price on the dark web. Without adequate security, it is only a matter of time. 

More resources

For a truly dazzling array of links to very helpful informational materials, visit the Rural Health Information Hub.

The National Rural Health Resource Center provides a handy, downloadable Cybersecurity Toolkit for Rural Hospitals and Clinics.

In 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) released a Collaborative Cybersecurity Healthcare Toolkit.

And finally, for a breakdown of all the ways that Barracuda supports healthcare organizations in meeting their unique and critical cybersecurity needs, check out our Healthcare web page.