Natali_Mis/istock via Getty Imag

How Medicaid cuts could endanger rural hospital cybersecurity

Rural hospital cybersecurity funding may be at risk as Medicaid cuts threaten the viability of already resource-strapped rural healthcare facilities.

Funding, staffing and resource limitations have historically hindered rural hospital cybersecurity. Healthcare leaders now predict that recently approved cuts to Medicaid -- a key funding source for many rural healthcare facilities -- will further jeopardize cybersecurity resources.

President Trump signed the budget reconciliation bill, known as the "One Big, Beautiful Bill Act," into law on July 4, 2025. The law is estimated to reduce federal Medicaid spending by $1 trillion and increase the number of uninsured people in the U.S. by 11.8 million.

A Black Book Research survey of 187 leaders at small and rural hospitals released in June found that 16% of respondents had delayed or reduced cybersecurity investments, in part due to impending Medicaid funding cuts.

As rural hospitals face tighter budgets and economic uncertainty that could influence their cybersecurity resource allocations, cyberthreats continue to impact the sector at high volumes.

Rural hospitals at risk

Before the July 2025 passage of the budget reconciliation bill, lawmakers and researchers were vocal about its potential negative effects on rural communities.

June 2025 data from the Cecil G. Sheps Center for Health Services Research at the University of North Carolina at Chapel Hill showed that more than 300 rural hospitals across the nation would be at risk of closure due to the changes proposed in the bill.

"Already, rural hospitals are struggling: in 2023, there were 50 fewer rural hospitals than in 2017, and lack of health care access in rural America is contributing to worse health outcomes," several lawmakers warned in a June 12, 2025, letter to President Trump, Senate Majority Leader John Thune and Speaker of the House Mike Johnson that cited the Sheps Center research.

"Rural hospitals are often the largest employers in rural communities, and when a rural hospital closes or scales back its services, communities are not only forced to grapple with losing access to health care, but also with job loss and the resulting financial insecurity."

Medicaid is a top insurer for rural communities. Nearly one in four people in rural areas have Medicaid coverage, KFF data shows. Estimates from the National Rural Health Association and Manatt Health show that, due to the new law, rural hospitals could lose 21 cents out of every dollar they receive in Medicaid funding.

With these funding cuts, the limited resources that many rural entities have for cybersecurity could be at risk.

Financial woes jeopardize cybersecurity funding

With these funding cuts, the limited resources that many rural entities have for cybersecurity could be at risk.

"Rural healthcare is in trouble. The loss of Medicaid funding will absolutely be a financial blow to these organizations," Michael Hamilton, field chief information security officer at Lumifi Cyber, said in an email interview.

"This will only exacerbate the limitations on improving cybersecurity in these organizations, and the confluence of other events may combine to completely put them out of business permanently."

As previously reported, rural healthcare facilities face numerous healthcare cybersecurity challenges. The funding constraints, ongoing cybersecurity workforce shortage and ever-changing cyberthreat landscape that impact healthcare organizations nationwide are more pronounced at rural organizations, which typically have fewer resources compared to their larger counterparts.

A 2025 Health Sector Coordinating Council report, consisting of interviews with 42 executives of resource-constrained provider entities across 31 states, observed significant budget challenges. Respondents said their organizations devote between 13% and 15% of their IT budget to cybersecurity but struggle to prioritize cybersecurity spending over budget allocations for direct patient care needs.

More than 70% of the Black Book Research survey respondents reported having inadequate cybersecurity infrastructure to guard against targeted cyberattacks. Researchers also found that cybersecurity accounted for less than 4% of total IT budgets at 69% of the surveyed facilities.

"This dangerous trend is consistent across urban and rural safety-net facilities: when budgets shrink, cybersecurity is the first line-item cut-even though administrators recognize the catastrophic risks involved," Doug Brown, founder of Black Book Research, said in a press release accompanying the firm's research.

The budget reconciliation law allocated $50 billion over the next five years to rural healthcare under its Rural Health Transformation Program. Half of the funds will be distributed equally across all 50 states, while the other half must be used for certain pre-determined activities, such as value-based care initiatives and technical assistance for cybersecurity. States will have to submit applications to CMS by Dec. 31, 2025, detailing their rural health transformation plans to receive the funds.

However, the National Rural Health Association expressed concerns about the program's ability to offset the effects of major Medicaid cuts on rural entities, considering the numerous provisions that could financially impact rural entities and patients.

While patient care remains the most important directive for rural healthcare organizations, cybersecurity improvements could become more difficult to prioritize in the coming months.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on Cybersecurity strategies