The Health Sector Coordination Council (HSCC) Cybersecurity Working Group (CWG) highlighted the important cybersecurity challenges facing American resource-constrained healthcare providers. Recent reports point to these challenges stem from limited workforce and expertise, an outdated system, and inadequate funding. The report has been submitted to the U.S. Department of Health and Human Services, the White House, and the House and Senate Rural Health Associations, urging both government and the broader health care community to invest in workforce development, financial support, and strategic partnerships to protect cybersecurity and patient safety.
In a report entitled “On The Edge: Health of America-Constrawed Health Providers,” HSCC explores cybersecurity preparations for small, rural, and resource-deprived healthcare institutions, including critical access hospitals, family clinics, skilled nursing facilities, and federally qualified health centers (FQHCS). The report finds that these providers are slightly prepared to defend against the escalation of cyber threats that put clinical care and operational stability at stake. It also outlines the forms of support needed to meet the growing number of cybersecurity regulatory requirements.
“We observed that this report sheds a critical light on the cybersecurity challenges that threaten resource-constrained healthcare providers like ours,” said Jim Loader of Minnesota-based Lakewood Health and the co-leading HSCC Task Group, who prepared the report.
Loader said, “Cybersecurity is not just an IT issue, it's a patient safety issue. Protecting the health and well-being of our community means ensuring resources and support to protect us from evolving cyber threats.”
“The report accurately captures the challenges facing rural hospitals,” said Teana Fallgatter, a rural collaborative organisation that represents 28 rural hospitals in Washington in a recent media statement. “As it is already too thin and is experiencing increasingly sophisticated cyberattacks, hospitals are not successful in protecting their citizens without government support. We need to find ways to provide the urgently needed funding to make rural hospitals and their patients a priority, despite the lack of national budgets.”
The findings are based on face-to-face interviews with 40 executives from resource-constrained health systems in 30 states. Participants consistently reported serious challenges due to limited personnel, outdated technology and inadequate funding. Most organizations understand what cybersecurity measures need, but have no means of implementing them effectively. To bridge this gap, the report highlights the urgent need for increased workforce, sustainable financial investments, and public-private partnerships to enhance cybersecurity and protect patient safety.
This report unveils a common understanding of the challenges and requirements of addressing effective cybersecurity management. Most participants recognized strong links between cybersecurity and key health outcomes, including patient safety, operational continuity, financial stability, and governance monitoring. Interviewees provided various recommendations on how government and community partners can better support their cybersecurity efforts.
A recurring theme was the belief that many healthcare organizations know what they need to do to ensure their systems, but they do not have the ability of their employees to do so. The most frequently cited need was direct and continuous access to external cybersecurity personnel. Respondents emphasized that routine, part-time support from trained cybersecurity professionals provides the most meaningful support. Several sustainable delivery models have been proposed, including a large community health system that donates staff once or twice a week to smaller facilities. Government-funded deployment of managed security service providers (MSSPs) for subscribed health systems. A state-controlled “cyber corps” with the National Guard or other qualified personnel.
Non-profit IT cooperatives were also highlighted as a valuable model. These organizations help rural and resource-constrained providers reduce costs, share infrastructure and maintain operations during the crisis by leveraging economies of scale and promoting collective learning. Despite knowing how to implement best cybersecurity practices, many providers have the means and IT infrastructure that do not have enough staff.
Some interviewees supported them using refund incentives to facilitate cybersecurity improvements. The “meaningful use” style model is similar to that used in the adoption of electronic health records, but it was suggested that the Centers for Medicare and Medicaid Services (CMS) will provide payments to organizations demonstrating implementation of recognized cybersecurity frameworks, such as the Health Industry Cybersecurity Practice (HICP) and the NIST Cybersecurity Framework. This approach is supported by Public Law 116-321, which allows the Office of Civil Rights (OCR) to consider such practices when determining penalties for HIPAA enforcement actions.
While workforce support and reimbursement incentives were above the needs list, grants and training were ranked low priorities. The grants were overly competitive, narrowly scoped, and management was considered a burden. When it comes to training, many organizations pointed out that they lacked knowledge. They have no one to do their job.
The HSCC report suggests that unregulated third-party technologies and service providers represent key threat vectors and costly third-party risk management demands. Healthcare providers must not bear the sole burden of police the vendor. Such third parties must be maintained to higher-enforced cybersecurity standards when supporting critical healthcare infrastructure where livelihoods are at risk.
Additionally, the increased workforce of required cybersecurity skills must be funded at the federal level through the ongoing commitment of the US Cybersecurity and Infrastructure Security Agency (CISA) technical support program. National Guard support and other programs for cybersecurity incident response.
The HSCC report noted that CMS refund incentives could be useful, but there may be some hesitation among some providers if the money is bound by compliance. CMS must create specific billing codes for cybersecurity orders such as staff training. Because resource-constrained providers often have negative margins, cybersecurity is paramount, making it a refundable expense, so providers are forced to adopt cybersecurity best practices. The workforce challenges are partly due to resource constraint issues.
We recommend continuing and expanding the USDA's rural loan program. It supports rural entities such as healthcare providers with various forms of cybersecurity support, including funding equipment, software, and infrastructure. Securing a portfolio of rural development by managing risks to healthcare facilities. Potential technical assistance providers. Conducts rural community leaders and healthcare providers to share information and resources.
They also recognized that one-time grant support payments were not sufficient and could not be used for employment in general. Grant programs must be tailored to the specific needs of resource-constrained healthcare providers and must continue as part of the payment structure. They should allow grantees to use the funds to hire nonprofit health IT collaborators who provide cost-effective and scalable solutions for cybersecurity and artificial intelligence (AI) preparation.
The report also focuses on a easily accessible library of best practices for IT staff regulatory and technical training, assistance with related health systems, access to GSA schedule pricing for cyber spending, and a healthcare cybersecurity management.
HSCC also supports cybersecurity policy recommendations provided by the National Rural Health Association in 2024.
In conclusion, the HSCC said the need for cybersecurity in healthcare is only becoming stronger. “Resource-constrained providers still don't have the workforce, partners, and tools to implement cybersecurity best practices. Through interviews with 42 healthcare leaders from resource-constrained agencies, I learned that most providers know what they need to do.
Providers have recognized that they need to increase the workforce, trusted partners, and financial flexibility in investing in cybersecurity to help certify, host, maintain and support health systems with modern cybersecurity capabilities. “Looking at the healthcare landscape today, artificial intelligence is accelerating the transformation of delivery at large institutions that can afford new technologies and the cybersecurity costs associated with them.”
Furthermore, resource-constrained providers are further behind adopting this technology because they cannot withstand an increase in cyber vulnerabilities. “Now is the time for action and investment to ensure valuable information and continue to make innovative healthcare delivery available in rural and resource-constrained communities.”
In March, the HSCC released a set of considerations outlining how government policies and programs can support health sector efforts to enhance cybersecurity and mitigate risk. These proposals are intended to encourage dialogue and innovation between government and industry by highlighting “what” rather than prescribing “methods.” Although not exhaustive or normative, it provides a flexible framework for shaping effective initiatives.
When enacted under existing or new statutory authorities, these concepts can help reduce sector-wide cyber risk through financial incentives, grant-based support, and operational support, particularly for underfunded providers such as small-scale practices, critical access hospitals, safety net facilities, and rural emergency hospitals.
Recommendations are organized into five important categories: The initial focus is on preparatory support and information sharing to improve awareness and coordination across the sector. The second highlights the need for financial support and incentives to help healthcare institutions invest in essential cybersecurity measures.
The third is to deal with incident response and recovery, ensuring that providers have the resources and guidance they need to respond effectively to cyber incidents. The fourth person emphasizes workforce development with the aim of building and maintaining the cybersecurity talent needed for the health sector. Finally, in the fifth category, regulatory reforms require cybersecurity expectations to be coordinated with the unique reality of underresourced healthcare providers.
Each recommendation is numbered to correspond to the original HSCC recommendation document, ensuring simple references and contextual consistency with the relevant suggestions.
