Rural Healthcare Cybersecurity Aid Grows, But Challenges Persist

August 22, 2023 - Healthcare cybersecurity is a challenge for providers, network defenders, and regulators across the US, as exemplified by the influx of data breach notifications reported to HHS this year alone. But protecting patients and hospitals from the damaging effects of a cyber incident is an even bigger obstacle in rural areas, where hospitals are smaller, have fewer resources, and are geographically distant from one another.

Thankfully, an increased government focus on national cybersecurity brought the issue of rural healthcare cybersecurity to the attention of lawmakers. In March, healthcare industry leaders testified at a Senate Homeland and Governmental Affairs Committee hearing about these issues. In May, lawmakers introduced the Rural Hospital Cybersecurity Enhancement Act.

As positive strides are made in the healthcare cybersecurity space, there is still work to be done to raise awareness of the unique cybersecurity challenges that rural medical facilities face and how they can mitigate risk today.

Unique Cyber Challenges of Rural Healthcare Facilities

“The impact on rural communities during a cyberattack is hard to overstate,” Kate Pierce, senior virtual information security officer at Fortified Health Security, said to lawmakers during the hearing in March.

“While attacks in urban areas are impactful, populated areas provide other healthcare options for patients to choose from. In most rural areas, the next closest healthcare facility may be 45 miles away or more, making the diversion of patients infeasible.”

As previously reported, rural hospitals face a variety of unique cybersecurity challenges, all compounded by hospital closures and consolidations. A 2021 report from the Government Accountability Office (GAO) observed the median travel distance to a hospital increase by about 20 miles in areas where a rural hospital had closed.

In a recent interview with HealthITSecurity, Pierce once again stressed the severe impact that a cyberattack could have on a rural healthcare facility and its patients.

“Those small facilities try to keep going, but the impact of continuing to see patients still can cause significant delays in care. We're so dependent on medical records now for the information that we use to treat our patients, so if a physician doesn't have access to the medical record when he's seeing the patient, he can't make the best possible decisions in that case,” Pierce said.

“They really are caught between a rock and a hard place. They really can't divert patients, but it's very difficult for them to continue to see patients as well.”

Additionally, budget constraints put a strain on rural hospitals that may force entities to prioritize other critical needs over cybersecurity. Pierce, who worked at a rural hospital in Vermont for more than 20 years, knows firsthand the difficulties of finding resources to devote to cybersecurity when there are seemingly more pressing issues to address.

“Coming out of COVID, those facilities are particularly strapped budget-wise, and so it becomes very difficult for them to justify spending money on cybersecurity versus nursing staff, et cetera,” Pierce noted.

“Cybersecurity is currently not mandated, therefore, it's a difficult decision to spend money in those areas.”

In addition, cyberattacks may have a direct impact on a hospital’s ability to keep its operations going in the long run. One rural hospital in Illinois recently announced it would be closing its doors permanently, partly due to the financial fallout from a 2021 cyberattack. The attack on the Spring Valley and Peru, Illinois locations of St. Margaret’s Health drove the hospital into EHR downtime and prevented it from submitting claims to insurers for multiple months.

The hospital’s closure further exemplifies the urgency of addressing healthcare cybersecurity risks, especially at rural facilities.

Increased Awareness Prompts Legislative Action

At the Senate Homeland and Governmental Affairs Committee hearing, four healthcare leaders from organizations big and small shed light on ongoing healthcare cybersecurity challenges and how the federal government could help the sector improve its security posture.

Nearly all the speakers highlighted the impact of healthcare cyberattacks on rural communities. Experts championed additional funding and cyber policies geared toward rural healthcare entities, including the possibility of incentive- or grant-based assistance for critical access and rural providers.

“The committee that they assembled was pretty broad, and I'm glad to hear that the rural hospitals were at the table and that we had a voice. I think they heard us loud and clear,” Pierce noted. “It's a very bipartisan-supported issue with Congress right now, so that's a good thing.”

In addition to focusing on rural healthcare cybersecurity, the healthcare leaders encouraged lawmakers to improve communication and coordination between industry and government stakeholders and to establish minimum required security standards for all healthcare entities.

Shortly after the hearing, the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG), of which Pierce is a member, got to work on delivering a “Hospital Cyber Resiliency Initiative Landscape Analysis.”

The landscape analysis provided HHS with key data on the current state of hospital cyber resiliency, taking into account key metrics from threat intelligence reports and open-source intelligence, as well as interviews with geographically and demographically diverse hospitals.

Throughout the report, there were mentions of cybersecurity challenges being exacerbated in rural communities in which communication bandwidth is limited, antiquated tech is commonplace, and securing cyber talent is an uphill battle.

Following the report and more momentum for healthcare cybersecurity, Senators Josh Hawley (R-MO) and Gary Peters (D-MI) introduced the Rural Hospital Cybersecurity Enhancement Act. The legislation aims to tackle rural healthcare cybersecurity challenges by requiring the Cybersecurity and Infrastructure Security Agency (CISA) director to develop a “comprehensive rural hospital cybersecurity workforce development strategy.”

Additionally, the act would require the CISA director to create instructional materials to help rural hospitals train staff on key cybersecurity measures, in addition to supporting the creation of new curricula, public-private partnerships, and policy recommendations. The act has not yet gone beyond the introduction phase, but still provided welcome attention to the issue of rural healthcare cybersecurity.

In recent months, the White House has also issued its National Cybersecurity Strategy and Implementation Plan as well as a National Cyber Workforce and Education Strategy, both of which underscored the administration’s focus on cybersecurity.

“There is a lot of momentum happening right now, because they are truly recognizing the seriousness of these cyberattacks on our nation.” Pierce said. “So, this is a good time to mobilize and help them to further understand what the challenges are in healthcare and how we differ from other sectors.”

What Rural Healthcare Facilities Can Do Now

As these national cybersecurity plans and strategies come to fruition, hospitals across the country are still being targeted by cyberattacks. With this in mind, it is important that rural healthcare entities take action now to mitigate risk.

“There are a number of resources out there,” Pierce noted, first referring rural entities to the recently updated Health Industry Cybersecurity Practices (HICP) publication. The HICP is a multi-volume publication that consists of consensus-based cybersecurity guidelines.

The HICP even includes a technical volume crafted specifically for small healthcare organizations, covering implementation guidance for key security tools such as vulnerability management and email protection systems.

“Those documents are very solid, and if you look at the one for small organizations, there pretty basic steps that everybody should be taking. I would urge them to start looking at that,” Pierce explained.

Other free resources that can be useful for healthcare cybersecurity include the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the HSCC’s Joint Security Plan (JSP).

In addition, Pierce recommended getting in touch with local government representatives who can help provide access to key resources.

“Find out who your local CISA and FBI reps are. Reach out to them, ask them to come and visit your hospital. They will make time for you and they will help you, and they've got some things that they can do that will cost you nothing except a little bit of time, and it's well worth it,” Pierce advised.

“You don't want your first call to those particular folks to be, ‘I have an incident I need to report and I need help.’ You want them to know who you are and know that you're doing your best to mitigate those risks.”

Getting in touch with these representatives now ensures that they can better assist an organization at the time of a cyberattack.

“There is no doubt that 2023 is going to be a very significant year when it comes to cyber,” Pierce predicted, pointing to the high volume of breaches that have already been reported.

Additional help is on its way to rural healthcare entities, but they must continue to work with the resources they have now in order to mitigate immediate risks.