Understaffed, underfunded: Health IT security for small, rural providers
Under-resourced providers face the same healthcare cybersecurity challenges as their larger counterparts but often lack the staffing and support to effectively manage risk.
Increased attention by policymakers, industry leaders and the public has put a spotlight on healthcare cybersecurity challenges, pushing providers across the U.S. to improve their cybersecurity programs. However, for some organizations, such as rural and critical access hospitals, small physician practices and federally qualified health centers, the resources needed to strengthen cyber defenses are few and far between. They often lack the funding, staffing and support to defend against sophisticated cyberthreats consistently.
"People don't realize how much these smaller systems are attacked and get hit by ransomware or are extorted just as much as the larger systems," said Jim Roeder, vice president of IT at Staples, Minnesota-based Lakewood Health System, a nonprofit rural healthcare system, in an interview.
Roeder, a member of the Health Sector Coordinating Council's (HSCC) cybersecurity working group, served as a co-lead on the HSCC's resource-constrained provider cybersecurity task group, which formed in June 2024.
The task group interviewed 42 executives of resource-constrained provider entities across 31 states to learn how these entities approach cybersecurity and what kind of government and community support would help them bolster their cybersecurity programs.
The results, which HSCC delivered to HHS, the White House and the House and Senate Rural Health Caucuses in May 2025, showed that resource-constrained providers understand the urgency of improving healthcare cybersecurity. However, competing priorities and limited support continue to prevent progress, HSCC asserted.
"The rural hospital leaders I work with know exactly what needs to be done, but they're running on shoestring budgets with two to five people doing the work of 20," said Jackie Mattingly, senior director of consulting services at Clearwater, who is also a member of the HSCC task group, in an email interview.
"Meanwhile, threat actors are growing more sophisticated, using AI to exploit gaps in staffing, training and aging systems. The current state of rural health is one of constant triage, and cybersecurity has become yet another critical area competing for already-stretched resources."
As healthcare organizations of all sizes continue to face significant cyber threats, industry leaders are working to understand and raise awareness of the scope and severity of the challenges that resource-constrained providers face.
Exploring top cybersecurity challenges of resource-constrained providers
The HSCC's report defined a resource-constrained provider as a "medical facility or individual practitioner encountering significant obstacles in providing comprehensive healthcare services and conforming to operation standards, often due to financial constraints, geographic isolation, or patient population characteristics."
"These constraints further impede the ability of resource-constrained health providers to implement, maintain, and enhance cybersecurity measures," the HSCC continued.
Insufficient funding, inadequate governance, multiple outdated legacy systems and an inability to attract cybersecurity talent all contribute to the challenges these entities face, HSCC found.
When it comes to funding, several report respondents said that their organization devotes between 13% and 15% of its IT budget to cybersecurity. Even so, many respondents stressed that they struggle to prioritize cybersecurity spending over budget allocations for direct patient care needs.
The rural hospital leaders I work with know exactly what needs to be done, but they're running on shoestring budgets with two to five people doing the work of 20.
Jackie MattinglySenior director of consulting services, Clearwater
"So, say you have a $2 million budget, you can do cybersecurity software or services, or you can get that new CT or MRI machine. And then you look at which one's going to give you revenue, which one's going to bring in patients?" Roeder noted.
"It oftentimes comes down to that battle between doing what you need to do and should do for cybersecurity, but at the same time, trying to keep those doors open for patients. And a lot of these facilities are in rural areas where they are the only healthcare for miles and miles."
Additionally, the ongoing cybersecurity workforce shortage, which has impacted organizations globally, has put a strain on rural providers.
"At a critical access hospital, all of us probably do five different job roles in a given day," Roeder said. "It's just the nature of the beast."
Respondents reported relying on help desk staff and investing in workforce development to address the shortage, but challenges persist with getting qualified cyber talent to work for rural or under-resourced entities.
Cyberattacks can have widespread impacts on a healthcare organization's sensitive data, daily operations and ability to provide care, sparking patient safety concerns.
Respondents reported feeling largely prepared for increased cyber risk from a technical perspective, but were worried about the unpredictability of future cyberattacks.
Additionally, resource-constrained entities are continuing to reap the benefits of increased access to broadband, telehealth, AI and other technological advancements. However, the report stated that these technologies also create an increased attack surface.
Mattingly noted that the HSCC's report, "is one of the clearest validations I've seen of what those of us in the trenches already know: rural and resource-constrained healthcare providers are being asked to defend against modern, AI-enabled cyberthreats using outdated tools, legacy infrastructure, and skeletal teams."
"This isn't just a funding issue, it's a patient safety crisis in slow motion," she said.
Providers seek funding, government support to tackle cyber risk
The report revealed several themes that could offer policymakers a roadmap to help resource-constrained providers manage cyber risk more effectively. For example, respondents repeatedly mentioned a desire for grants, subsidies and reimbursement incentives to ease the financial strain on their organizations.
Respondents also underscored a need for additional government support and guidance to help smaller organizations comply with proposed HIPAA Security Rule updates, should they pass. Some expressed frustration with the complexity and cost of applying for grants and the need for funding for outsourced cybersecurity service providers.
In 2025, the HSCC issued several policy recommendations to address the top concerns and challenges of resource-constrained providers. Among the recommendations was a proposal to augment workforce development programs through federal funding and support from larger health systems.
Additionally, the HSCC recommended designating ransomware attacks as "all hazards" incidents to activate federal government support for emergency response services. The organization also suggested increasing funding for resource-constrained providers by expanding existing programs, such as the U.S. Department of Agriculture's Rural Loan Program.
What's more, the HSCC suggested that CMS provide reimbursement incentives for entities that demonstrate implementation of cybersecurity best practices, such as those outlined in the Health Industry Cybersecurity Practices publication and the National Institute of Standards and Technology cybersecurity framework.
"Through our interviews with 42 healthcare leaders at Resource-Constrained institutions, we learned that most providers know what needs to be done, they simply lack the capacity and resources to put best practices into action," the report stated.
'Providers need workforce augmentation, trusted partners to help certify, host, maintain, and support health IT systems with modern cybersecurity capabilities, and the financial flexibility to invest in cybersecurity."
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.