Less than half of rural hospitals get a passing grade in cybersecurity

Rural hospitals are among the nations’ most critical healthcare providers, yet they are also some of the most vulnerable. Shifting demographics, policy changes, and poorly aligned business incentives have led to a tsunami of rural hospital closures in recent years, leaving residents of remote communities with even fewer options for accessible, effective care. 

And for the dwindling number that remain open, the job is only getting harder – especially when it comes to protecting themselves from ransomware and other cybersecurity threats.  

Smaller healthcare organizations are prime targets for bad actors who know just how little these entities can afford extended downtime, potentially making them more likely to pay ransom to regain access to essential digital services. 

Cyber criminals also know that rural hospitals don’t always have the budget and resources to develop bulletproof cybersecurity defenses in the first place, creating easy targets for what could be a lucrative payday. 

Unfortunately, they’re correct in their assumptions. Rural hospitals have indeed been struggling with even the basics of cybersecurity, with less than half receiving a passing grade in basic cybersecurity competencies, according to a new report from Microsoft.   

The report stems from a program launched in 2024, when the Biden Administration and Microsoft announced that they would be taking action to support rural hospitals as they worked to improve their cybersecurity defenses. The program enables rural hospitals, including critical access hospitals (CAHs) to receive free security assessments and discounted Microsoft products and services. 

During its first year of operation, more than 550 organizations have flocked to the opportunity, with more than 375 receiving free security assessments so far. 

The high numbers of participants reflect these organizations’ eagerness to improve their cybersecurity programs – but also highlight the staggering level of need for fundamental assistance in remote regions of the country. 

Early findings from the program reinforce this worrying theme. After a year of working with rural organizations, Microsoft found that most rural hospitals have not successfully implemented basic cybersecurity best practices, including email security (65%), multifactor authentication (69%), network segmentation (62%) and vendor/supplier cybersecurity requirements (33%). 

Only 43% of rural hospitals are running basic vulnerability scanning and performing timely patching according to established processes, and a mere 29% have adequately separate end-user and privileged accounts to ensure appropriate access to sensitive portions of the network. 

In addition, most rural hospitals don’t have meaningful cybersecurity training and awareness programs in place for educating users on popular attack vectors such as phishing, smishing, and other forms of social engineering.   

These massive gaps in security capabilities put rural hospitals – and their patients – at risk of significant negative consequences, including the potential loss of millions of dollars from mitigation and recovery activities, risks to patient safety due to diversions and loss of access to digital systems, and reputational hits that can affect organizations for years to come. 

Solving the problem will take more than what Microsoft can provide through its program alone, the company stresses. Instead, there is a need for concerted efforts from across the public and private sectors to provide resources and education to at-risk organizations. 

It starts with addressing near-term risks, the report says, by assessing and addressing gaps in cyber hygiene. Microsoft estimates that the costs to remediate the highest priority risks for the approximately 2100 rural hospitals in the United States would total around $75 million – a one-time cost that could dramatically improve the resiliency of the nation’s critical health resources.  

Microsoft’s cybersecurity assistance program is a positive step in the right direction, but public sector policymakers and private sector stakeholders will need to take a much more aggressive approach to closing gaps in cybersecurity for rural hospitals if more of these organizations are to clear the bar and successfully reduce their risks of cyberattacks. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].