Cyberattacks on healthcare institutions have surged, affecting operational stability and patient safety across the United States. While larger systems invest in sophisticated defences, smaller and rural providers face growing threats without the necessary resources to respond effectively. These "Resource-Constrained" providers—such as critical access hospitals, community clinics and long-term care facilities—serve vulnerable populations and represent vital parts of the healthcare infrastructure. Yet, they remain disproportionately exposed to cyber risks due to limited funding, outdated systems and a shortage of cybersecurity professionals. Recent findings by the Health Sector Coordinating Council reveal the urgent need for coordinated government support and tailored policy to help these institutions safeguard patient care.
Challenges in Cybersecurity Readiness
Smaller providers are often acutely aware of the cyber risks they face but lack the means to counter them. Many institutions operate with insufficient IT staffing—often just two to five people covering the responsibilities of a much larger team. This results in difficulties implementing best practices, keeping pace with threats or conducting routine risk assessments. Most rely on legacy systems and patchwork infrastructure that are no longer supported, introducing vulnerabilities that are costly to remedy.
Third-party service providers further complicate the risk landscape. As many institutions depend on vendors for essential digital services, any vulnerabilities within these external systems can directly jeopardise operations. Despite the significant role third-party actors play in enabling or weakening healthcare cybersecurity, current policy disproportionately places compliance responsibility on the providers themselves.
Moreover, the trade-off between funding for direct care and investment in cybersecurity remains a major issue. With constrained budgets, many institutions must prioritise immediate clinical needs, often at the expense of technology upgrades or insurance coverage. This underinvestment heightens the risk of operational disruptions, reputational damage and even patient harm due to delayed or compromised care delivery during a cyber incident.
Workforce and Infrastructure Gaps
The shortage of skilled cybersecurity professionals is one of the most critical barriers to progress. Interviewed executives expressed that they often “know what to do” to secure their environments, but lack the personnel to carry it out. In response, innovative workforce augmentation models have been proposed. These include deploying part-time security experts funded by federal agencies, creating “Cyber Corps” programmes through National Guard units or academic partnerships and fostering collaboration with larger healthcare systems willing to share expertise.
Must Read: Strengthening Healthcare Cybersecurity: The Impact of New Regulations
Infrastructure also plays a central role. Many Resource-Constrained providers have begun adopting broadband, telehealth and electronic health records—expanding their digital footprint and, consequently, their vulnerability. However, they lack the robust infrastructure to secure these services adequately. Investing in scalable, secure platforms shared through non-profit IT collaboratives could allow smaller providers to maintain continuity while achieving better cost efficiency.
There is also a call for improved access to centralised best-practice resources, regulatory training for IT teams and flexible funding mechanisms. Institutions report that competitive grant programmes are often difficult to navigate and fail to cover essential staffing needs. Instead, sustainable support integrated into reimbursement models or rural loan programmes is seen as more impactful.
Policy Recommendations for Sustainable Support
To address these systemic issues, the Health Sector Coordinating Council has proposed a series of strategic recommendations. These include designating high-impact cyberattacks as “all hazards” events to trigger federal emergency response mechanisms and prioritising support for critical access and rural hospitals during such crises. The Council also supports expanding participation in information sharing platforms like Health-ISAC, ensuring small providers receive timely intelligence and mitigation tools.
Reimbursement incentives tied to demonstrated cybersecurity practices could create meaningful motivation without punishing already-stretched institutions. Yet, caution is advised in how compliance is enforced, as overly rigid regulation without corresponding support could backfire. Respondents emphasise that new mandates must be matched with accessible training, subsidised services and affordable access to tools like managed detection and response systems.
Workforce development is another critical pillar. Programmes inspired by the HITECH Act or public service scholarships could provide career pathways into healthcare cybersecurity for a new generation of professionals. Federally funded deployment of MSSPs and support from state agencies would further alleviate the burden on in-house staff. Additionally, regulators are urged to hold third-party vendors accountable for cybersecurity failures, recognising their critical role in safeguarding patient data and operational continuity.
Lastly, integrating cybersecurity upgrades and staffing into allowable expenses under existing subsidy programmes, such as the FCC Health Connect Fund, would provide a clear, structured route for providers to enhance their defences without additional administrative burden.
Resource-Constrained healthcare providers face an uphill battle in defending against cyber threats. Despite clear awareness of the risks and commitment to patient safety, they are hampered by limited staff, outdated infrastructure and inflexible funding pathways. Without sustained support, these institutions will struggle to adopt advanced technologies, including AI, that are rapidly becoming central to modern care. Cybersecurity is no longer just an IT issue; it is a patient safety imperative. To protect the health and wellbeing of underserved populations, national policy must prioritise equity in cybersecurity capacity, ensuring that no provider is left behind in an increasingly digital healthcare landscape.
Source: Health Sector Coordinating Council's Cybersecurity Working Group
Image Credit: iStock
