Cybersecurity for Rural Healthcare Facilities

Rural healthcare facilities face the same cyberattack threats to their ongoing operations and finances as larger healthcare systems, yet may lack the in-house staff and financial resources to protect their data or respond to an attack. Rural facilities may also be vulnerable to the impacts of attacks on other healthcare industry organizations they rely on, for example for outsourced services or payment. They are also charged with protecting the privacy and security of patient and employee information, which is often a specific target of online attacks.

This guide identifies the current rural health environment related to cybersecurity, as well as resources available to help rural facilities. To ensure the safety and privacy of their patients, protect their ability to deliver healthcare services, and maintain financial solvency, rural healthcare facilities need to understand and be ready to address a wide range of ever-evolving potential threats. In particular, AI (artificial intelligence) has changed the playing field and is emerging as both one of the greatest threats and as a potential defense against cyberattacks. Healthcare organizations' leaders need to be aware of the importance of conducting regular risk assessments and cybersecurity audits and securing cybersecurity insurance coverage for a potential breach.

For a broader look at emergency preparedness concerns, including cybersecurity, see the Rural Emergency Preparedness and Response topic guide and Rural Emergency Preparedness and Response Toolkit.

For more general information about health information technology (HIT) and the HIT workforce, see the Telehealth and Health Information Technology in Rural Healthcare topic guide.

Understanding the Risks

Cybersecurity: A Path to Increase Rural Health Care Preparedness, a policy brief from the National Rural Health Association, outlines the challenges that rural healthcare facilities face related to cybersecurity. It also offers policy recommendations targeted to the specific concerns of rural communities that could improve support, collaboration, and education.

The rise of AI in cyberattacks, as reported in the Microsoft Digital Defense Report 2025 CISO Executive Summary, and the increased use of telehealth and broadband in healthcare are exposing facilities to magnified risks. On the Edge: Cybersecurity Health of America's Resource-Constrained Health Providers Findings and Recommendations, a 2025 publication from the Health Sector Coordinating Council Cybersecurity (HC3) Working Group, reports that small rural healthcare facilities face a range of challenges addressing cybersecurity concerns:

• Insufficient funding and competing priorities for limited resources
• Outdated computer systems
• Challenges recruiting and retaining cybersecurity staff
• Difficulty providing adequate ongoing training and support to administrative and clinical staff
• Lack of systematic ways to stay current on alerts and prepared to identify and respond to attacks.

As cyberattack strategies become more sophisticated, all staff working in rural healthcare facilities will need guidance and training on the latest threats. Approaches that once worked to protect systems may become obsolete. For example, AI can be used to create voice messages impersonating key staff to falsely authorize access to systems.

Compounding these challenges, the remoteness of rural facilities can make it more difficult to transfer patients to another facility in the event of a cyberattack. Rural facilities may also be seen as an easier target due to their lack of resources, and even those that are part of a larger healthcare system may be attractive as an easier entry point to those systems. In The Rural Hospital Cybersecurity Landscape, a report from Microsoft, rural hospitals are identified as potentially vulnerable to email-based threats due to reliance on older IT systems, missing out on recommended software updates and patches, and poor management of identity/credentials. Hospital Cyber Resiliency Initiative Landscape Analysis, a 2023 report developed by the U.S. Department of Health and Human Services (HHS) and the HC3 Working Group, discusses similar concerns and identifies additional challenges rural hospitals face such as concerns related to cybersecurity insurance coverage exclusions if the facility is not able to meet minimum security standards.

Ransomware attacks on rural facilities — where access to an organization's information technology system is seized by an unauthorized party and held for ransom — are a major threat to the healthcare industry. The 2024 Internet Crime Report from the Internet Crime Complaint Center (IC3) reported that the healthcare sector was the most impacted by cyber threats, with 238 ransomware and 206 data breach complaints received in 2024 being healthcare-related. Understanding the Rise of Ransomware Attacks on Rural Hospitals, a June 2024 policy brief from the University of Minnesota Rural Health Research Center, reports on an increasing number of ransomware attacks impacting rural hospitals from 2016 to 2021. Impacts from these attacks included operational disruption, delays and cancellations of appointments, and ambulance diversion.

An October 2025 update from the American Hospital Association, 2025 Cybersecurity Year in Review, Part One: Breaches and Defensive Measures, describes trends in cyberattacks impacting the healthcare sector and related steps to prevent a breach or mitigate damage.  Many recent ransomware attacks have also involved theft of data, and most stolen protected health information is not stolen directly from healthcare facilities but rather from third-party organizations. It is important to review the applications and vendor solutions in use at the facility to understand related risks from working with their products. Given the complexity of this task, facilities may want to work with an outside service for risk management. 2025 Cybersecurity Year in Review, Part Two: Mitigating Third-Party Risk, Ensuring Clinical Continuity and Addressing AI Risk discusses the need to prepare for interruption to services of 30 days or longer and the importance of focusing on clinical continuity. It also provides examples of how AI is being used in cyberattacks.

Attacks on companies that offer outsourced services, such as billing, can impact rural facilities' ability to operate. For example, the February 2024 attack on Change Healthcare, a health payment processing company, resulted in delays and unpaid claims for clinics and hospitals, as well as leaked health information for patients. The attack was of particular concern for rural practices operating with fewer financial resources to fall back on.

In Need of a Checkup: Examining the Cybersecurity Risks to the Healthcare Sector, a 2023 U.S. Senate Committee on Homeland Security and Governmental Affairs hearing, includes testimony from Kate Pierce, the former Chief Information Officer and Chief Information Security Officer of an Alabama Critical Access Hospital, who discusses cybersecurity in small and rural hospitals.

Rural Case Studies

Rural facilities may find it helpful to review case studies from other rural healthcare facilities that have experienced a cyberattack. It may be difficult to find examples due to concerns organizations may have about the negative impacts of sharing their experiences. However, this type of reporting can help everyone become more prepared.

An Unseen Threat Actor Attacks a Critical Access Hospital's Digital Network in Sandusky, Michigan, in the Rural Emergency Preparedness and Response Toolkit, provides a detailed account of a March 2022 ransomware attack on the McKenzie Health System and a recovery that benefited from having a disaster recovery plan and offsite redundancy in place.

Recovering from a Cybersecurity Attack and Protecting the Future in Small, Rural Health Organizations, in the Rural Monitor, shares information from the McKenzie Health System's experience, as well as from a 2019 cyberattack in Colorado that impacted Estes Park Health, a Critical Access Hospital and affiliated outpatient clinic. The article also provides insights from an information technology compliance expert, actions organizations can take, and list of cybersecurity resources.

How Sky Lakes Medical Center Overcame a Ransomware Attack summarizes the response of a rural Oregon hospital to a 2020 cyberattack that began from a phishing e-mail to a hospital employee and resulted in the hospital having to shut down all systems and work offline while rebuilding the network. A March 2021 recorded webinar, Lessons Learned From the Sky Lakes Medical Center Ransomware Attack of 2020, provides additional insights.

Tools and Resources for Rural Providers

Cybersecurity Practices for Small Healthcare Organizations, a 2023 U.S. Healthcare & Public Health Sector Coordinating Council guide, outlines key healthcare cybersecurity practices for small healthcare organizations, as well as resources for managed IT services and vendor selection. It covers topics such as email protection, access management, data protection, and incident response. In addition to this volume focused on small practices, there is also a broader document — Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients — with additional information.

The HHS Office of Civil Rights (OCR) offers Cyber Security Guidance Material with educational materials about HIPAA-related cybersecurity requirements. The HIPAA Security Rule includes a requirement that healthcare facilities complete regular risk assessments to ensure they are adequately safeguarding protected health information. The Security Risk Assessment Tool is a resource for medium and small providers developed by OCR and the Office of the National Coordinator for Health Information Technology (ONC). Safety Assurance Factors for EHR Resilience (SAFER) Guides from ONC offer additional information to help healthcare organizations conduct self-assessments.

The Cybersecurity Toolkit for Rural Hospitals and Clinics, developed by the National Rural Health Resource Center, provides a step-by-step guide covering cybersecurity awareness, assessment, implementation and remediation, and education.

The Small Rural Hospital Improvement Program (SHIP), supported by the Health Resources and Services Administration's Federal Office of Rural Health Policy (FORHP), annually provides State Offices of Rural Health (SORHs) with funding to help their small rural hospitals meet value-based payment and care goals through investments in hardware, software, and training. SHIP funds, which are directed through states to small rural hospitals, can also be used by hospitals to purchase health information technology, equipment, and training to comply with cybersecurity assessments, education, and training. The approximate funding per eligible hospital is $13,500 per year.

The Microsoft Cybersecurity Program for Rural Hospitals offers rural hospitals access to Microsoft security solutions, resources, and training free or at reduced cost.

Google's rural healthcare cybersecurity initiative aims to help rural health systems and hospitals strengthen their resilience to cyberattacks. Google is partnering with government and industry to offer its solutions to rural health facilities at no cost or a significant discount. This technology is adapted to the needs of each facility and may cover access and collaboration, consulting and support, and security training. Additionally, Google will provide implementation services and support to eligible organizations.

Prepare, React, and Recover from Ransomware is a one-page infographic from the Health Sector Cybersecurity Coordination Center that outlines the actions that medical practitioners, IT professionals, and emergency managers should take to prepare, react to an attack, and recover.

The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, provides a centralized government location, Stop Ransomware, with information and tools to learn about, protect from, and respond to ransomware attacks. CISA offers Cybersecurity Alerts and Advisories, as well as weekly Vulnerability Summary bulletins that highlight current and emerging concerns. It also offers free Incident Response Training with information covering basic cybersecurity awareness and best practices.

The American Hospital Association (AHA) Cybersecurity & Risk Advisory section offers Cybersecurity Insights and Resources for Rural Hospitals, as well as a What's Your Cyber Risk Profile? 12 Considerations for CEOs fact sheet. AHA's Strategies for Cyber Preparedness in Health Care shares a set of practical strategies to help healthcare organizations prepare for and manage cybersecurity risks, addressing prioritizing cybersecurity, workforce training, clinical continuity, third-party risk assessment, and regional planning.

For additional resources, the Administration for Strategic Preparedness and Response (ASPR) offers a healthcare cybersecurity guide and cybersecurity resources collection in its Technical Resources, Assistance Center, and Information Exchange (TRACIE).

Rural healthcare facilities may also want to look more broadly at how to provide training and staffing related to health information technology. See What facility, technology, and staffing concerns accompany HIT, and what skill sets are necessary? on the Telehealth and Health Information Technology in Rural Healthcare topic guide for more information.

Federal Cybersecurity Strategy

Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services outlines HHS activities focused on hospitals and health systems and identifies the various organizations within HHS focused on these issues. ASPR is the lead federal coordinator focused in healthcare and public health cybersecurity, working with HHS divisions and other federal agencies, as well as state, tribal, and private organizations to address cyber threats. The HHS Cyber Gateway lists healthcare and public health cybersecurity performance goals and identifies cybersecurity information and resources from HHS and other federal agencies.