Rural healthcare cybersecurity challenges: An interview with Jason Griffin of Nordic

In the healthcare industry, rural hospitals face unique cybersecurity challenges that differ from their urban counterparts. Limited budgets, workforce shortages, and inadequate technological infrastructure make it difficult for rural organizations to keep pace with cybersecurity demands. Jason Griffin, who leads the cybersecurity and IT strategy practice at Nordic, has been instrumental in addressing these challenges. Over the past four years, Jason has driven the growth of Nordic’s cybersecurity practice, developing consulting services that meet the specific needs of healthcare providers. Jason sat down with DHI to shed light on the key obstacles rural hospitals face, the importance of governance, and how partnerships with organizations like Microsoft can help rural healthcare providers bridge the gap in cybersecurity. 

What are the most significant differences between rural and urban cybersecurity challenges? 

Jason: The main issue is access to talent and expertise. Larger organizations compete for the same talent, while smaller ones struggle to bring in that level of expertise. Ultimately, it comes down to budget and access to resources, whether it’s telemedicine, networking, or Wi-Fi. Rural hospitals face more challenges because their budgets are smaller, but they are held to the same regulatory standards as larger organizations. They have to do more with less, which requires creativity in finding ways to meet regulatory requirements without slowing down patient and clinician access. 

It seems like workforce burnout is an issue. We’re seeing many Chief Information Security Officers experiencing burnout, much like clinicians. With fewer resources and the same level of threats, I imagine burnout is a growing problem. 

Jason: Absolutely. Burnout is a big issue. In smaller organizations, when they hire talent, they train and groom it, only to see those individuals move on after gaining experience. It’s a cycle, and it’s a challenge that affects rural hospitals the most. 

Are there unique technological aspects of cybersecurity in rural settings compared to urban or suburban areas? 

Jason: One of the main issues in rural areas is connectivity. Poor connectivity can cause latency and create issues within the organization. Rural areas may lack data center space, or they may struggle with recovery after natural disasters due to their remote location. While satellite and fiber have helped improve connectivity, there are still challenges with spotty Wi-Fi in rural areas, which makes it difficult to implement telemedicine effectively. Even if we deliver services through the internet, if the network infrastructure isn’t there, it creates slowdowns and issues. 

How do you see the funding landscape evolving to help rural hospitals catch up, especially with the initial influx of telemedicine funding? 

Jason: The solution lies in partnerships. We won’t magically identify new funding for rural hospitals, and they aren’t going to come up with budgets they never had. As industry partners, we need to be creative in finding controls and service offerings that fit their budgets. The healthcare industry is mostly geared towards larger organizations with complex environments, but we need to craft solutions specifically for rural hospitals that operate with limited budgets. Telemedicine can increase revenue, but the costs are still there. We need to partner with these organizations to help them achieve sustainability. 

What kind of new technologies do you see emerging, aside from telemedicine, which now seems to be old news? 

Jason: There’s always something new and shiny, but before we even start looking at new technologies, we need to modernize existing systems. We need to focus on foundational elements like standardizing data governance and ensuring systems are integrated. Once the foundation is solid, it becomes easier to add new technologies that improve efficiency. It’s not always about having the latest tech but rather improving the bottom line and patient engagement by streamlining and integrating existing systems. 

Governance seems to be gaining importance again, especially with the rise of AI and its impact on cybersecurity. How is governance different in rural settings compared to urban ones? 

Jason: In smaller organizations, governance is still foundational, but it can be more challenging due to limited resources. That said, governance is essential for decision-making. Even in rural hospitals with small teams, there needs to be some level of rigor in decision-making processes. Large organizations can afford consultants to help with governance, but rural hospitals can’t. It’s important that we, as partners, help create templates and tools for these hospitals to implement effective governance practices. 

Resilience has been a major topic lately, especially after the recent hurricanes in Florida and North Carolina. What have you learned from these events? 

Jason: We’ve seen a lot of extended downtimes due to security incidents and natural disasters this year. Many organizations are unprepared for prolonged downtime, and the disconnect comes from conflating business continuity with disaster recovery, which are two different things. We need to help organizations understand the importance of clinical and business continuity, and that it’s not just an IT problem. 

Would you agree that continuity issues are more cultural than technological? 

Jason: Absolutely. It’s a cultural issue, and culture often trumps strategy. If an organization’s culture isn’t prepared to accept the strategic vision of inclusion and ownership, they will struggle. We’ve seen this in organizations that have faced downtime for extended periods. The conversation needs to happen at the highest levels, and leaders need to drive cultural change. 

How does Nordic assist with breach response communications? 

Jason: While I’m not a communication specialist, I understand the importance of clear communication during and after a breach. How you communicate internally and externally is crucial. Organizations that are unprepared will struggle. It’s not just about getting systems back online; it’s about managing the incident for an extended period and communicating effectively. 

Tell me more about the National Rural Health IT Community and your partnership with Microsoft. What are the goals of this initiative? 

Jason: Our goal is to create a community that supports rural healthcare organizations, particularly from a cybersecurity perspective. We’ve partnered with Microsoft and other stakeholders to provide rural hospitals with the tools they need to protect their systems at a scale that fits their budgets. This is not about getting rich; it’s about investing our time and resources into helping these organizations. We’ve created an advisory board with three CIOs from rural hospitals and are launching the community officially in November. The community will provide tools, assessments, and collaboration opportunities for rural healthcare organizations. 

This initiative seems to go beyond cybersecurity. What other areas will the community focus on? 

Jason: We started with cybersecurity, but we plan to address every aspect of rural healthcare operations, from financial sustainability to clinical sustainability. Data governance will likely be the next focal point, as standardizing data and improving interoperability are critical for rural hospitals. 

As a global company, how does Nordic approach rural healthcare from a global perspective? 

Jason: Healthcare is delivered differently in various cultures, and we’ve learned a lot from our work in Canada and Europe. We’re expanding our footprint globally, and rural healthcare challenges are not unique to the U.S. The insights we gain from working in other countries can inform how we address rural healthcare challenges globally.