Cybersecurity for Rural Healthcare Facilities

Rural healthcare facilities face the same cyberattack threats to their ongoing operations and finances as larger healthcare systems, yet may lack the in-house staff and financial resources to protect their data or respond to an attack. Rural facilities may also be vulnerable to the impacts of attacks on other healthcare industry organizations they rely on, for example for outsourced services or payment. They are also charged with protecting the privacy and security of patient information, which is often a specific target of online attacks.

To ensure the safety and privacy of their patients, protect their ability to deliver healthcare services, and maintain financial solvency, rural healthcare facilities need to understand and be ready to address a wide range of potential threats. Healthcare organizations' leaders need to be aware of the importance of conducting regular risk assessments and securing cybersecurity insurance coverage for a potential breach. This guide identifies the current rural health environment related to cybersecurity, as well as resources available to help rural facilities.

For a broader look at emergency preparedness concerns, including cybersecurity, see the Rural Emergency Preparedness and Response topic guide and Rural Emergency Preparedness and Response Toolkit.

For more general information about health information technology (HIT) and HIT workforce, see the Telehealth and Health Information Technology in Rural Healthcare topic guide.

Understanding the Risks

Cybersecurity: A Path to Increase Rural Health Care Preparedness, a policy brief from the National Rural Health Association, outlines the challenges that rural healthcare facilities face in addressing these concerns. It also offers policy recommendations targeted to the specific concerns of rural communities that could improve support, collaboration, and education.

Hospital Cyber Resiliency Initiative Landscape Analysis, a 2023 report developed by the U.S. Department of Health and Human Services (HHS) and the Health Sector Coordinating Council Cybersecurity (HC3) Working Group, identifies the challenges hospitals face and hospitals' preparedness to address cyber threats. Rural hospitals in particular have concerns related to reliance on older hardware and software that are more vulnerable to attack, cybersecurity insurance coverage exclusions if the facility is not able to meet minimum security standards, and difficulty attracting IT staff with needed expertise.

Ransomware attacks on rural facilities — where access to an organization's information technology system is seized by an unauthorized party and held for ransom — are a major threat to the healthcare industry. The 2023 Internet Crime Report from the Internet Crime Complaint Center (IC3) reported that the healthcare sector was the most impacted by this type of attack, with 249 out of 1,193 ransomware complaints received in 2023 being healthcare-related. Understanding the Rise of Ransomware Attacks on Rural Hospitals, a June 2024 policy brief from the University of Minnesota Rural Health Research Center, reports on an increasing number of ransomware attacks impacting rural hospitals from 2016 to 2021. Impacts from these attacks included operational disruption, delays and cancellations of appointments, and ambulance diversion.

Attacks on companies that offer outsourced services, such as billing, can impact rural facilities' ability to operate. For example, the February 2024 attack on Change Healthcare, a health payment processing company, resulted in delays and unpaid claims for clinics and hospitals, as well as leaked health information for patients. The attack was of particular concern for rural practices operating with fewer financial resources to fall back on.

In Need of a Checkup: Examining the Cybersecurity Risks to the Healthcare Sector, a 2023 U.S. Senate Committee on Homeland Security and Governmental Affairs hearing, includes testimony from Kate Pierce, the former Chief Information Officer and Chief Information Security Officer of an Alabama Critical Access Hospital, who discusses cybersecurity in small and rural hospitals.

Rural Case Studies

Rural facilities may find it helpful to review case studies from other rural healthcare facilities that have experienced a cyberattack. It may be difficult to find examples, due to concerns organizations may have about negative impacts of sharing their experiences. However, this type of reporting can help everyone become more prepared.

An Unseen Threat Actor Attacks a Critical Access Hospital's Digital Network in Sandusky, Michigan, in the Rural Emergency Preparedness and Response Toolkit, provides a detailed account of a March 2022 ransomware attack on the McKenzie Health System and a recovery that benefited from having a disaster recovery plan and offsite redundancy in place.

Recovering from a Cybersecurity Attack and Protecting the Future in Small, Rural Health Organizations, in the Rural Monitor, shares information from the McKenzie Health System's experience, as well as from a 2019 cyberattack in Colorado that impacted Estes Park Health, a Critical Access Hospital and affiliated outpatient clinic. The article also provides insights from an information technology compliance expert, actions organizations can take, and list of cybersecurity resources.

Tools and Resources for Rural Providers

Cybersecurity Practices for Small Healthcare Organizations, a 2023 U.S. Healthcare & Public Health Sector Coordinating Council guide, outlines key healthcare cybersecurity practices for small healthcare organizations, as well as resources for managed IT services and vendor selection. It covers topics such as email protection, access management, data protection, and incident response. In addition to this volume focused on small practices, there is also a broader document — Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients — with additional information.

The HHS Office of Civil Rights (OCR) offers Cyber Security Guidance Material with educational materials about HIPAA-related cybersecurity requirements. The HIPAA Security Rule includes a requirement that healthcare facilities complete regular risk assessments to ensure they are adequately safeguarding protected health information. The Security Risk Assessment Tool is a resource for medium and small providers developed by OCR and the Office of the National Coordinator for Health Information Technology (ONC). Safety Assurance Factors for EHR Resilience (SAFER) Guides from ONC offer additional information to help healthcare organizations conduct self-assessments.

The Cybersecurity Toolkit for Rural Hospitals and Clinics, developed by the National Rural Health Resource Center, provides a step-by-step guide covering cybersecurity awareness, assessment, implementation and remediation, and education.

The Small Rural Hospital Improvement Program (SHIP), supported by the Health Resources and Services Administration's Federal Office of Rural Health Policy (FORHP), annually provides State Offices of Rural Health (SORHs) with funding to help their small rural hospitals meet value-based payment and care goals through investments in hardware, software, and training. SHIP funds, which are directed through states to small rural hospitals, can also be used by hospitals to purchase health information technology, equipment, and training to comply with cybersecurity assessments, education, and training. The approximate funding per eligible hospital is $13,000 per year.

The Microsoft Cybersecurity Program for Rural Hospitals, a collaboration of Microsoft, The White House, the American Hospital Association, and the National Rural Health Association, offers rural hospitals access to Microsoft security solutions, resources, and training at no cost.

Google's rural healthcare cybersecurity initiative aims to help rural health systems and hospitals strengthen their resilience to cyberattacks. Google is partnering with government and industry to offer its solutions to rural health facilities at no cost or a significant discount. This technology is adapted to the needs of each facility and may cover access and collaboration, consulting and support, and security training. Additionally, Google will provide implementation services and support to eligible organizations.

Prepare, React, and Recover from Ransomware is a one-page infographic from the Health Sector Cybersecurity Coordination Center that outlines the actions that medical practitioners, IT professionals, and emergency managers should take to prepare, react to an attack, and recover.

The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, provides a centralized government location, Stop Ransomware, with information and tools to learn about, protect from, and respond to ransomware attacks. CISA offers Cybersecurity Alerts and Advisories, as well as weekly Vulnerability Summary bulletins that highlight current and emerging concerns. It also offers free Incident Response Training with information covering basic cybersecurity awareness and best practices.

The American Hospital Association (AHA) Cybersecurity & Risk Advisory section offers rural hospital resources, as well as a What's Your Cyber Risk Profile? 12 Considerations for CEOs fact sheet.

For additional resources, the Administration for Strategic Preparedness and Response (ASPR) offers a cybersecurity resources collection in its Technical Resources, Assistance Center, and Information Exchange (TRACIE).

Federal Cybersecurity Strategy

The National Cybersecurity Strategy, a March 2023 White House document, identifies a broad set of objectives for addressing the risks related to cybersecurity across all industries, including healthcare.

Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services outlines HHS activities focused on hospitals and health systems and identifies the various organizations within HHS focused on these issues.