Funding shortfalls and workforce shortages leave small, rural and resource-constrained healthcare providers especially vulnerable to ransomware attacks that disrupt care delivery. That’s a reality that cannot be ignored, according to a new report prepared for the U.S. Department of Health and Human Services by the Health Sector Coordinating Council’s Cybersecurity Working Group.

HSCC says the government and its partners must act quickly to address understaffed healthcare cyber programs by tweaking federal healthcare funding programs to cover critical cybersecurity expenditures, augmenting healthcare cybersecurity workforces and incentivizing cyber maturity. 

Its new report is based on findings from in-depth interviews with senior executives from cash-strapped healthcare organizations across 31 states, including critical access hospitals, post-acute care, federally qualified health centers and physician groups.

“We learned that most providers know what needs to be done; they simply lack the capacity and resources to put best practices into action,” said HSCC working group members in the whitepaper, which was also submitted to the White House and Congress.

HSCC’s recommendations “are both timely and realistic,” said Jackie Mattingly, senior director of consulting services serving small- and medium-sized hospitals at the security firm Clearwater, after reading the report’s suggestions for HHS. “Cybersecurity should be recognized as a core component of care delivery and operational continuity.”

A multi-pronged problem

Nationally, cyberattacks that affect the delivery of patient care are all too common, with 36% of healthcare facilities reporting increased medical complications due to ransomware breaches, according to HSCC. 

Often, financially constrained providers may be the primary or only source of healthcare in their communities. If they must divert patients due to a ransomware shutdown, there may not be another facility close enough to safely send patients to. 

HSCC said it held weekly interviews with 42 senior executives of low-resourced healthcare organizations between Aug. 1 and Nov. 14. All were reportedly asked the same 12 questions and given time to provide as much context as possible.

Small and rural healthcare facilities’ cyber programs are lagging for a variety of reasons, the working group said. 

The many challenges include insufficient or inflexible funding, legacy systems, a dearth of cybersecurity talent in their regions, competing financial priorities, lack of formal security, and inadequate or insufficient governance. 

HSCC also cited conflicting government requirements, recommendations and guidance, delayed remediation guidance and threat intelligence, and inadequate training in identifying and responding to attacks.

To address lagging cybersecurity, the council said it supports the National Rural Health Association’s 2024 cybersecurity policy recommendations. 

It also made several of its own recommendations related to workforce funding and collaboration, changes to federal healthcare reimbursement programs and government grant use flexibilities, and measures to alleviate providers’ responsibility for third-party software vulnerabilities.

Cybersecurity investments in financially constrained healthcare organizations are not only critical to patient safety and care continuity where they are made, but central to national healthcare infrastructure resilience, Mattingly pointed out.

She has more than 20 years of experience serving in healthcare privacy and information security roles, including as chief information security officer at the non-profit, regional Owensboro Health system, which provides care in Kentucky and Indiana, and nearly five years as a security instructor at the University of Southern Indiana.

“Cybersecurity isn’t just an IT expense,” said Mattingly. “The key is flexibility. Many hospitals operate on razor-thin margins, so making cybersecurity an allowable and reimbursable operational cost would significantly reduce financial barriers and drive meaningful, sustainable improvement.”

Too few staff to mind the store

Just 14% of the healthcare leaders told HSCC that their IT security teams are fully staffed, with more than half saying they need more help and 30% reporting being understaffed or severely understaffed.

“Resource-constrained providers often have negative margins; making cybersecurity a reimbursable expense is paramount so that providers can afford the adoption of cybersecurity best practices,” HSCC’s Cybersecurity Working Group advised in its new whitepaper, “On the Edge.”

“Workforce challenges are due, in part, to a resource constraint problem.”

Most interviewees said that they “know what to do” to secure their enterprise, but they simply don’t have the workforce capacity to do it. 

The most frequently suggested “material support they could receive would be externally provided personnel on a routine, part-time basis to assist in basic and more advanced cybersecurity management,” the working group said. 

Respondents expressed how their cybersecurity capabilities could be better served by both government and community assistance for each of the working group’s 12 questions, with ratings and anonymous anecdotal comments both contained in the report. 

HSCC then recommended a suite of financial remedies, like making cybersecurity reimbursable under the U.S. Centers for Medicare & Medicaid Services and extending access to General Services Administration pricing for cyber expenditures to financially constrained providers.

Extending access to GSA pricing for cyber expenditures could “absolutely” make a difference in the short term by immediately reducing financial strain and removing “one more barrier to implementing essential cybersecurity controls,” said Mattingly. 

“Throughout my career, I’ve seen firsthand how dramatically pricing can vary,” she explained. “Smaller and rural hospitals often pay significantly more for cybersecurity tools and services due to their limited purchasing power. Extending GSA pricing would help level the playing field, allowing these providers to access vetted solutions at more affordable rates.”

Critical need for partners 

The participating healthcare leaders also said that they need trusted partners “to help certify, host, maintain and support health IT systems with modern cybersecurity capabilities.” 

Sustainable support, such as larger regional health systems donating security personnel once or twice a week or government-funded deployment of contracted managed security services providers, could allow rural and resource-constrained providers to reduce costs and maintain operational continuity during crises, HSCC said.

“Workforce augmentation for needed cybersecurity skills should be funded at the federal level through ongoing commitment of the Cybersecurity and Infrastructure Security Agency technical support programs,” HSCC advised.

Just as shared IT and security infrastructure can help reduce duplicative costs, affiliated health systems and non-profit health IT collaboratives could share expertise and address vulnerabilities.

“Whether government-led or developed through public-private partnerships, the concept is to create scalable infrastructure that hospitals can opt into, rather than build alone,” Mattingly explained. “Standing up these collaboratives would require a coordinating entity, trusted cybersecurity partners and initial seed funding.”

The whitepaper also recommended reimbursement from an incentive funding model – not unlike the “meaningful use” EHR incentive program – to better deploy recognized cybersecurity practices, such as the HHS 405(d) program’s seminal Health Industry Cybersecurity Practices and the Cybersecurity Framework. 

Creating small hospital cybersecurity incentives to protect the large electronic attack surfaces created with requirements is a common theme among healthcare cybersecurity professionals. 

Mattingly agreed that CMS could model reimbursement incentives after a program like meaningful use, financially rewarding providers that implement HICP or the NIST framework, as long as they meet specific metrics. 

Others in IT security suggest providing national protection services to the critical healthcare sector to protect against common network attack vectors abused by state-sponsored ransomware actors and other cybercriminals. 

“Why don’t we figure out a way that we can provide major health providers and their subs, and everyone else that wants it, scanning and protective DNS and secure email to make the bar that much higher for attackers to come into?” former U.S. National Security Agency Director Gen. Paul M. Nakasone said in his March keynote address at HIMSS25.

HSCC also suggested continuation and expansion of the U.S. Department of Agriculture’s Rural Loan Program to further extend cybersecurity support, from equipment, software and infrastructure purchases to potential technical assistance. 

Subsidizing the use of contracted MSPs, academic institutions’ deployment of student engineers and cybersecurity majors at the federal and state levels could also help bolster cybersecurity across the healthcare sector, HSCC said.

Third-party technology policing

Notably, 58% of the 77.3 million individuals affected by healthcare data breaches in 2023 were impacted by an attack on a third-party provider – a 287% increase compared to 2022, according to HSCC.

One respondent told the working group about “the need to address unregulated third-party technology and service vendors to improve their security when they connect to or are installed in health provider networks.”

Unregulated third-party technology and service providers are a key threat vector and incur costly third-party risk management demands, HSCC agreed.

“Health providers should not bear the sole burden for policing their vendors,” members of the working group said. “Such third parties must be held to an enforceable higher cybersecurity standard when they support critical healthcare infrastructure where lives are at risk.” 

Some recent proposed updates to the HIPAA Security Rule – the first updates since 2013 – aim to significantly increase accountability for business associates.

Financing better security

Existing funding pathways and reimbursement incentives, though vital, are insufficient and inflexible, according to the working group. This is particularly true for compliance with HIPAA and other regulations that currently punish healthcare organizations with fines or lost reimbursements.

When the working group’s task force asked participants about the usefulness and importance of government financial assistance, one said: “Reimbursement incentives: nice, but financial folks would not like it because money is tied to compliance.” 

While CMS reimbursement incentives could be helpful, HSCC recommended that CMS create specific billing codes for such cybersecurity imperatives as staff training. The healthcare leaders also said they need funding for outsourced cybersecurity service providers. 

With dedicated billing codes for “often mandatory but unfunded” cybersecurity activities, such as “annual risk assessments, vulnerability management, staff training, deployment of endpoint protection or multi-factor authentication and the development or testing of incident response plans,” small and rural hospitals could receive direct reimbursement, Mattingly suggested. 

Further, “CMS could offer performance-based incentives tied to a hospital’s progression toward measurable cybersecurity goals,” she added. 

Incentives might be structured in tiers with increasing reimbursement linked to demonstrated cyber maturity “in areas like asset inventory, access control and incident response preparedness,” accommodating providers at different starting points, Mattingly said. 

“A tiered model acknowledges incremental improvement while avoiding a one-size-fits-all mandate that could unintentionally penalize rural or under-resourced providers already operating under significant strain.

“Together, these models, billing codes for specific actions and performance-based incentives for strategic progress, would bring much-needed financial flexibility to under-resourced hospitals,” she said.

One-time grant support payments generally cannot be used for hiring, the working group noted. Tailoring grant programs to specific needs could be ongoing as part of the payment structure, HSCC also advised. 

“They should allow grantees to use funds to hire staff or participate in non-profit health IT collaboratives that provide cost-effective and scalable solutions for cybersecurity and artificial intelligence readiness,” HSCC suggested.

And with AI now accelerating delivery transformation in larger, well-monied organizations better able to afford the advanced technologies’ accompanying security costs, “resource-constrained providers will fall further behind in the adoption of this technology because they cannot bear the increased cyber vulnerabilities.” 

“Now is the time for action and investment to secure valuable information and ensure innovative healthcare delivery remains available in rural and resource-constrained communities,” said HSCC.