The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) highlighted the significant cybersecurity challenges facing America’s resource-constrained healthcare providers. A recent report noted that these challenges stem from a limited workforce and expertise, outdated systems, and inadequate funding. The report, submitted to the U.S. Department of Health and Human Services, the White House, and the House and Senate Rural Health Caucuses, urges both the government and the broader healthcare community to invest in workforce development, financial support, and strategic partnerships to strengthen cybersecurity and safeguard patient safety.
In its report titled ‘On the Edge: Cybersecurity Health of America’s Resource-Constrained Health Providers,’ the HSCC explores the cybersecurity readiness of small, rural, and under-resourced healthcare organizations, such as critical access hospitals, family clinics, skilled nursing facilities, and federally qualified health centers (FQHCs). The report finds that these providers are only marginally prepared to defend against escalating cyber threats that jeopardize clinical care and operational stability. It also outlines the forms of support needed to meet increasing cybersecurity regulatory demands.
Jim Roeder of Minnesota-based Lakewood Health and a co-lead of the HSCC task group that prepared the report, observed that “This report sheds a critical light on the cybersecurity challenges threatening resource-constrained healthcare providers like ours. It accurately reflects the fears we face daily in knowing that a single ransomware attack could not only jeopardize our hospital’s future but also put our patients and community at risk.”
Roeder added, “Cybersecurity is not just an IT issue; it is a patient safety issue. Protecting the health and well-being of our communities means ensuring we have the resources and support to defend against evolving cyber threats.”
“This report accurately captures the challenges our rural hospitals face,” Tianna Fallgatter of The Rural Collaborative, which represents 28 rural hospitals in Washington State, said in a recent media statement. “Already stretched too thin, experiencing increasingly sophisticated cyber-attacks, our hospitals will not be successful at protecting the nation’s people without government support. We need to find a way to provide the funding urgently needed, despite our nation’s budget shortfalls, to make rural hospitals and their patients a priority.”
The findings are based on in-person interviews with 40 executives from resource-constrained health systems across 30 states. Participants consistently reported severe challenges due to limited staffing, outdated technology, and inadequate funding. While most organizations understand what cybersecurity measures are required, they lack the means to implement them effectively. To close this gap, the report emphasizes the urgent need for workforce augmentation, sustainable financial investment, and public-private partnerships to strengthen cybersecurity and protect patient safety.
The report revealed a shared awareness of the challenges and requirements of addressing effective cybersecurity management. Most participants recognized the strong link between cybersecurity and critical healthcare outcomes, including patient safety, operational continuity, financial stability, and governance oversight. Interviewees provided various recommendations for how government and community partners could better support their cybersecurity efforts.
A recurring theme was the belief that many healthcare organizations know what needs to be done to secure their systems but lack the workforce capacity to do it. The most frequently cited need was direct, ongoing access to external cybersecurity personnel. Respondents emphasized that routine, part-time support from trained cybersecurity professionals would provide the most meaningful assistance. Several sustainable delivery models were suggested, including larger regional health systems donating staff to smaller facilities once or twice a week; government-funded deployment of managed security service providers (MSSPs) to subscribed health systems; and a state-administered ‘Cyber Corps’ staffed by National Guard or other qualified personnel.
Non-profit health IT collaboratives were also highlighted as a valuable model. These organizations help rural and resource-constrained providers reduce costs, share infrastructure, and maintain operations during crises by leveraging economies of scale and promoting collective learning. Despite knowing how to implement cybersecurity best practices, many providers lack the means to do so without sufficient staff or secure IT infrastructure.
Some interviewees also supported using reimbursement incentives to encourage cybersecurity improvements. A ‘meaningful use’- style model—similar to those used in electronic health record adoption—was suggested, wherein the Centers for Medicare & Medicaid Services (CMS) would provide payments to organizations demonstrating the implementation of recognized cybersecurity frameworks, such as the Health Industry Cybersecurity Practices (HICP) or the NIST Cybersecurity Framework. This approach is supported by Public Law 116-321, which allows the Office for Civil Rights (OCR) to consider such practices when determining penalties in HIPAA enforcement actions.
While workforce support and reimbursement incentives topped the list of needs, grants and training were ranked lower in priority. Grants were seen as overly competitive, narrowly scoped, and burdensome to administer. As for training, many organizations noted they don’t lack knowledge—they lack people to do the work.
The HSCC report suggests that unregulated third-party technology and service providers represent a major threat vector and costly third-party risk management demands. Health providers should not bear the sole burden for policing their vendors; such third parties must be held to an enforceable higher cybersecurity standard when they support critical healthcare infrastructure where lives are at risk.
Also, workforce augmentation for needed cybersecurity skills should be funded at the federal level through ongoing commitment of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) technical support programs, and at the federal and state levels for subsidizing the use of contracted managed security providers, academic institutions’ deployment of student engineers and cybersecurity majors in programs such as the Consortium of Cybersecurity Clinics; state national guard assistance for cybersecurity incident response, and other programs.
The HSCC report noted that the CMS reimbursement incentives can be helpful, but there may be hesitancy among some providers when money is tied to compliance. CMS should create specific billing codes for such cybersecurity imperatives as staff training. As resource-constrained providers often have negative margins, making cybersecurity a reimbursable expense is paramount so that providers can afford the adoption of cybersecurity best practices. Workforce challenges are due, in part, to a resource constraint problem.
It recommends continuation and expansion of the U.S. Department of Agriculture’s Rural Loan Program, which supports rural entities such as health providers with various forms of cybersecurity support, including funding equipment, software, and infrastructure; securing rural development’s portfolio through managing risk to healthcare facilities; potential technical assistance provider; and conduit to rural community leaders and health care providers to share information and resources.
It also recognized that a one-time grant support payment would not be enough and generally cannot be used for hiring. Grant programs should be tailored to specific needs for resource-constrained health providers and should be ongoing as part of the payment structure. They should allow grantees to use funds to hire staff or participate in non-profit health IT collaboratives that provide cost-effective and scalable solutions for cybersecurity and artificial intelligence (AI) readiness.
The report also focused on regulatory and technical training for IT staff, assistance from affiliated health systems, access to GSA schedule pricing for cyber expenditures, and an easily accessible library of best practices for healthcare cybersecurity management.
The HSCC also supports cybersecurity policy recommendations offered by the National Rural Health Association in 2024.
In its conclusion, the HSCC said that the need for cybersecurity in healthcare is only growing stronger. “Yet resource-constrained providers lack the workforce, partners, and means to implement cybersecurity best practices. Through our interviews with 42 healthcare leaders at Resource-Constrained institutions, we learned that most providers know what needs to be done; they simply lack the capacity and resources to put best practices into action.”
It recognized that providers need workforce augmentation, trusted partners to help certify, host, maintain, and support health systems with modern cybersecurity capabilities, and the financial flexibility to invest in cybersecurity. “Looking at today’s healthcare landscape, artificial intelligence is accelerating delivery transformation in large institutions who can afford novel technologies and the cybersecurity costs that come with them.”
Furthermore, resource-constrained providers will fall further behind in adopting this technology because they cannot bear the increased cyber vulnerabilities. “Now is the time for action and investment to secure valuable information and ensure innovative health care delivery remains available in rural and resource-constrained communities.”
In March, the HSCC released a set of considerations outlining how government policies and programs can better support the health sector’s efforts to strengthen cybersecurity and reduce risk. These proposals intend to inspire dialogue and innovation between government and industry by emphasizing the ‘what’ rather than prescribing the ‘how.’ While not exhaustive or prescriptive, they offer a flexible framework for shaping effective initiatives.
If enacted under existing or new statutory authorities, these concepts could help reduce sector-wide cyber risk through financial incentives, grant-based assistance, and operational support, particularly for under-resourced providers such as small practices, critical access hospitals, safety net facilities, and rural emergency hospitals.
The recommendations are organized into five key categories. The first focuses on preparedness support and information sharing to improve sector-wide awareness and coordination. The second emphasizes the need for financial support and incentives to help healthcare organizations invest in essential cybersecurity measures.
The third addresses incident response and recovery, ensuring that providers have the resources and guidance needed to respond effectively to cyber incidents. The fourth highlights workforce development, aiming to build and sustain the cybersecurity talent necessary for the health sector. Finally, the fifth category calls for regulatory reform to align cybersecurity expectations with the unique realities of under-resourced healthcare providers.
Each recommendation is numbered to correspond with the original HSCC recommendations document, ensuring easy reference and contextual alignment with related proposals.
