IT Director Jim Bartilson and his team at South Peninsula
Hospital in Homer, Alaska, spend their workdays managing
user accounts, monitoring installed systems and hardware,
and researching protective software. “I
personally spend about 3 hours a day managing some of our
security systems,” Bartilson says,
“which helps me stay current with security
risks, evaluate new systems for deployment, and analyze
our current systems.”
While his IT team seems removed from the patients, they
are working right beside the medical staff to protect
those who walk through the hospital doors. While the
medical staff works to prevent diseases and improve
patients' health, Bartilson and his IT team work to
safeguard their information.
Risks and Barriers in Rural Communities
Ransomware is one of the most prevalent types of malware
(malicious software) affecting healthcare facilities.
This malware encrypts the system's data, preventing
anyone from accessing data unless a ransom is paid.
Sometimes, those who pay the ransom are still unable to
recover their files.
According to the U.S. government document
How to Protect Your Networks from Ransomware, the
number of ransomware attacks has increased 300%, from
1,000 attacks per day in 2015 to 4,000 attacks per day in
2016. While urban and rural networks are both targeted,
rural-based information systems may be at a greater risk
in an attack.
Rural and smaller facilities may not be targeted more,
but rural facilities tend to have less training,
resources, and protections in place.
“Rural and smaller facilities may not be
targeted more, but rural facilities tend to have less
training, resources, and protections in place,”
explains Joe Wivoda, CIO and HIT Consultant at the
Health Resource Center.
For example, urban healthcare facilities may have a large
IT team, while rural facilities might have one IT
employee who works part-time. Cost is also a barrier for
many rural facilities, as it takes financial resources to
purchase updated software or hire someone to install a
firewall. For some facilities, cybersecurity may not seem
like a top priority.
Wivoda adds that rural facilities without IT staff can
team up with other facilities or contract out.
“In rural,” Wivoda explains,
“we have to work together as much as we
As with other healthcare positions, many rural facilities
have come to rely on traveling or agency staff to fill
vacant positions. While filling an important need, this
type of staffing can be an added risk to facilities'
cybersecurity, since these employees might not have
completed the same orientation and training as the other
employees. These risks make recruitment and grow-your-own
efforts for IT staff all the more important for rural
Despite the barriers, rural facilities possess a strength
that urban facilities may not. Since everyone tends to
know each other in smaller communities, rural healthcare
staff may hold themselves more accountable to safeguard
their patients' information from unauthorized access,
modification, or destruction. South Peninsula Hospital is
one such facility that works hard to safeguard the
information of its patients, families, and neighbors.
South Peninsula Hospital
South Peninsula Hospital (SPH), a 22-bed
Critical Access Hospital (CAH), takes a top-down approach
to cybersecurity. Bartilson explains, “You
cannot be effective managing security risks unless you
have support from your senior leadership and operating
SPH provides primary care, outpatient specialty clinics,
and long-term care, along with emergency medicine. The
60-year-old hospital employs over 450 people and serves a
population of 13,000 living in a 50-mile radius.
You cannot be effective managing security risks unless
you have support from your senior leadership and
“We are one of the pillars of the
community,” says Derotha Ferraro, Director of
Public Relations & Marketing at SPH. “We've
been here the longest and we're the largest
employer.” This status in the community adds
extra incentive for hospital staff to protect their
“Jim has to look all of these people in the
face when he goes to the grocery store or the post office
or the hardware store,” Ferraro explains about
Bartilson's role as IT Director. “That adds a
layer of responsibility that might not be as raw in a
much larger environment.”
That accountability to the community extends into the
workplace as well, as Bartilson and his IT team are also
responsible for their coworkers' information. This
responsibility can serve as a powerful motivator.
Bartilson explains, “I don't want to ever have
to walk into my CEO's office and tell him we have an
Such an issue would lead not only to compromised
information but also liability and downtime.
“Liability” refers to the costs
associated with a data breach, such as fines, credit
monitoring for those affected, and rise in insurance
rates. “Downtime” is the time and
work lost if a facility needs to shut down or if infected
servers shut themselves down.
The hospital is constantly bombarded by malware, so
Bartilson and his team's work is never done:
“Security systems are no longer set it and
forget it,” Bartilson explains. If viruses do
occur, the IT team works to find the source and educates
coworkers on safe practices so that future attacks can be
An Ounce of Prevention
The more informed the user is, the stronger the security
Prevention is key, not just for the IT staff of six but
for anyone who works for SPH. While the hospital uses
software programs to safeguard its data, staff members
also need to be on the lookout for suspicious-looking
emails and attachments. “The more informed the
user is, the stronger the security can be,”
Training occurs during new employee orientation and
throughout a staff member's career. New employees at SPH
spend an hour of their orientation learning about
The IT staff offers continual education to the other
staff members by sending out alerts and offering videos
for refresher courses.
You have to train everyone, not just one department, but
everyone who touches a computer.
Wivoda supports Ferraro's emphasis on the importance of
providing training for all users: “You have to
train everyone, not just one department, but everyone who
touches a computer.”
This training – teaching staff how to spot
suspicious-looking emails and how to back up their files
– can be outsourced or found online.
HIPAA Training & Resources can be a useful tool, with
links to security training games and risk assessment
Sometimes, Bartilson and his IT team provide articles
about recent data breaches at other healthcare
facilities. These articles serve as learning
opportunities, as the team then describes what SPH
employees can do to avoid a similar situation.
In addition to these cautionary tales, the IT team makes
sure to recognize coworkers who catch and report
suspicious links and emails. This reminds all staff
members that they each play a part in protecting the
hospital's information. Bartilson and the team also act
as mentors so that their coworkers feel capable of taking
on more responsibility with cybersecurity at work and in
The IT team members keep up their own knowledge base
through webinars, certificate classes, and web classes.
“We have assembled a special group of dedicated
IT professionals at SPH,” says Bartilson,
“and there isn't a day I'm not amazed with
their ability and hard work.”
While other rural facilities may not be able to afford an
IT team of six, they may have resources that SPH does
not. “Other areas would have more access to
consulting services,” Bartilson explains.
“Our distance from the next largest town – the
travel expenses are not cost-effective for that
While cybersecurity is a priority at SPH, it is certainly
not the hospital's only IT priority. Ferraro explains
that the IT team members “make sure that we're
secure but that systems are working toward the best care
possible at the same time, so that neither side is
Whether a rural facility has six IT staff members or
none, the latest in technology or aging IT
infrastructure, training and vigilance of all staff will
make a difference in the security of patient information.
Wivoda adds, “It's a solvable problem, and we
can make a difference.”
Allee Mead is a web writer for the Rural Health Information Hub. She has written on important rural issues, including maternal mortality and farmers' mental health, and has presented nationally on RHIhub's opioid resources. Originally from rural North Dakota, she has a master's degree in English. Full Biography