Understaffed, Underfunded: Health IT Security for Small, Rural Providers

The healthcare industry has long been under scrutiny when it comes to cybersecurity, and with good reason. Recent high-profile attacks have highlighted the vulnerability of medical systems and data to sophisticated cyber threats. However, for some organizations - particularly small, rural providers - the resources needed to strengthen their cyber defenses are few and far between.

These entities often lack the funding, staffing and support to defend against advanced cyber threats consistently. "People don't realize how much these smaller systems are attacked and get hit by ransomware or are extorted just as much as the larger systems," said Jim Roeder, vice president of IT at Lakewood Health System, a nonprofit rural healthcare system based in Minnesota.

Roeder, a member of the Health Sector Coordinating Council's (HSCC) cybersecurity working group, served as a co-lead on the HSCC's resource-constrained provider cybersecurity task group. The task group interviewed 42 executives of resource-constrained provider entities across 31 states to learn how these entities approach cybersecurity and what kind of government and community support would help them bolster their cybersecurity programs.

The results, which HSCC delivered to the White House, the House and Senate Rural Health Caucuses in May 2025, showed that resource-constrained providers understand the urgency of improving healthcare cybersecurity. However, competing priorities and limited support continue to prevent progress, HSCC asserted.

"The rural hospital leaders I work with know exactly what needs to be done, but they're running on shoestring budgets with two to five people doing the work of 20," said Jackie Mattingly, senior director of consulting services at Clearwater, who is also a member of the HSCC task group. "Meanwhile, threat actors are growing more sophisticated, using AI to exploit gaps in outdated tools and legacy infrastructure."

Mattingly noted that these organizations are not just facing financial challenges but a patient safety crisis in slow motion. Providers seek funding, government support and guidance to tackle cyber risk effectively.

The report revealed several themes that could offer policymakers a roadmap to help resource-constrained providers manage cyber risk more effectively. For example, respondents repeatedly mentioned a desire for grants, subsidies and reimbursement incentives to ease the financial strain on their organizations.

Respondents also underscored a need for additional government support and guidance to help smaller organizations comply with proposed HIPAA Security Rule updates, should they pass. The HSCC suggested designating ransomware attacks as "all hazards" incidents to activate federal government support for emergency response services.

Additionally, the organization recommended increasing funding for resource-constrained providers by expanding existing programs, such as the U.S. Department of Agriculture's Rural Loan Program. CMS was also urged to provide reimbursement incentives for entities that demonstrate implementation of cybersecurity best practices.

"Through our interviews with 42 healthcare leaders at Resource-Constrained institutions, we learned that most providers know what needs to be done, they simply lack the capacity and resources to put best practices into action," the report stated. "Providers need workforce augmentation, trusted partners to help certify, host, maintain, and support health IT systems with modern cybersecurity capabilities, and the financial flexibility to invest in cybersecurity."