How and when will rural hospitals get the tools and resources they need to mitigate cyber threats is an unknown. But to increase awareness about the causes of rural hospital vulnerability and drive more collaboration to enhance their cybersecurity resilience, Microsoft said it envisions immediate and sustained commitment through a public-private partnership.
“We can take action at an unprecedented scale and speed to mitigate cyber risk, drive innovation and ensure both rural hospitals and the Americans they serve are resilient into the future,” Microsoft researchers said in a new whitepaper, The Rural Hospital Cybersecurity Landscape.
Dire situation in lives and dollars
For rural hospitals to remain the cornerstone of healthcare delivery in the United States and continue to provide essential services to millions, Microsoft pledged to continue to expand its efforts to help support their overall resilience, including leveraging artificial intelligence to address needed efficiencies.
The tech giant is also calling on technology companies, policymakers, community organizations and healthcare providers to address the urgent needs of these critical institutions.
While rural healthcare providers may be currently optimistic about finances, last year saw high Medicare Advantage enrollment push half of all rural hospitals in the red.
Since 2010, 182 rural hospitals have closed or converted, according to the 2025 Rural Health State of the State report released last month by Chartis. This year, 46% of rural hospitals are in the red and 432 are vulnerable to closure, the consultancy said.
“Compounding the financial resource strain, rural hospitals face significant challenges recruiting and retaining healthcare professionals. Finding skilled staff in specialized areas of hospital management for example, IT specialists or revenue management teams is a significant challenge in rural areas,” Microsoft said in the whitepaper released on March 5.
Rural hospitals face significant challenges in recruiting and retaining their workforces as well as investing in their own security.
“In large part due to limited budgets, rural hospitals are more likely to lack the resources to implement key cybersecurity measures, creating an ideal opportunity for exploitation from cyber criminals,” researchers said.
Threat actors the world over know this, whether they are going after rural hospitals for financial gain, or are sanctioned by nation-states to sew discord in the U.S. and harm citizens.
To showcase the increasing severity of the threat landscape, in 2015, Texas experienced five data breaches through cyberattacks, exposing over 102,000 patient records, according to the whitepaper.
By 2022, 44 attacks exposed nearly 6 million patient records.
“This spike is not an anomaly, but the result of focused efforts to target hospitals who are simultaneously under-resourced with vulnerable IT environments and housing valuable patient data,” researchers.
Grimly, 20% of the hospitals that experienced a cyberattack reported an increase in patient mortality, Microsoft noted.
The cost per day lost to downtime following ransomware attacks from 2018-2024, estimated at $1.9 million, is compounded by an average downtime of 18.7 days, according to Microsoft.
Then there is the cost of recovery.
“In 2023, according to an IBM report, data breach costs for healthcare rose to more than $10.9 million,” researchers noted.
For hospitals already experiencing financial strain, “this can be the difference between solvency and shuttering,” and that is why wural hospitals have both immediate and long-term needs for support and to help develop their cyber resilience.
Status of rural cyber hygiene
The new white paper discusses Microsoft’s insights from its efforts to aid rural providers in improving their cybersecurity postures through its Cybersecurity Program for Rural Hospitals.
The program offers free security assessment through a pre-vetted security partner to evaluate and identify strategies to mitigate cybersecurity risks, curated learning for provider employees and foundational cyber risk management certification to IT staff, according to Microsoft.
Participants may also receive one year of Windows 10 Extended Security Update at no cost – where available – and security product discounts and offers, including non-profit pricing for critical access and rural emergency hospitals.
All U.S. rural hospitals are eligible for the tech giant’s specialized cybersecurity program, and since it launched more than 375 rural hospitals have asked for help by taking the free assessment. In addition, more than 550 U.S. rural hospitals registered for the company’s program and nearly 1,000 individuals from these organizations accessed cyber training opportunities, Microsoft said.
Researchers quickly found out that most rural hospitals hadn’t implemented basic cybersecurity best practices, Kate Behncken, Microsoft’s corporate vice president of Microsoft Philanthropies and Erin Burchfield, senior director of technology for social impact and one of the whitepaper’s authors, said in their blog article on March 5.
Basic cyber hygiene like email security and multi-factor authentication is lacking, as is performing basic vulnerability scanning.
“Timely patching according to an established process is often neglected in rural hospitals, with only 43% of hospitals being deemed as receiving passing scores in these practices,” the whitepaper’s authors said.
Case in point: On Wednesday, the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center issued a joint alert warning the sector about Medusa Ransomware. Initial access investigated as recently as last month showed that the variant deploys phishing campaigns as a primary method for stealing victim credentials and once inside exploits unpatched software vulnerabilities such as ConnectWise ScreenConnect – which Blackcat may have used to exfiltrate 6T bytes of Change Healthcare data though denied – and Fortinet EMS SQL injection vulnerabilities. The Health Information Sharing and Analysis Center issued a threat alert about the ScreenConnect vulnerability in January.
Privileged account management is another top liability for many rural hospitals with only 29% of those Microsoft assessed “adequately separating end-user and privileged accounts or accounts with broader systems/data access.”
“Often rural hospitals with lean IT teams lack experience in developing and managing such policies and the capacity to do rigorous ongoing monitoring,” Microsoft said in the whitepaper.
Though most rural hospitals scored well in their asset management practices, end-point management revealed substantial risk. Less than 37% of assessed hospitals met the expert-informed passing score, according to the whitepaper.
Most rural hospitals do not have comprehensive training and awareness programs, either, which makes them vulnerable to social engineering attacks, researchers said.
“Our goal with this program is to address both the immediate cyber risks facing these critical community resources as well as broader systemic challenges facing rural health,” Behncken and Burchfield said in their blog.
“We can help these hospitals to be less vulnerable to common threats and ultimately, better serve their communities,” Microsoft stated in the whitepaper.
In addition to the rural hospitals’ cybersecurity program, Microsoft’s Digital Crimes Unit has embarked on both legal and technical action internationally to disrupt cybercriminals and their facilitators, including those targeting healthcare institutions by using legitimate tools to stage ransomware attacks.
In partnership with Microsoft, H-ISAC and international agencies, U.S. software firm Fortra said on Monday that collaborative efforts to dismantle cybercriminals over the two years are paying off and Cobalt Strike abuse in the wild has dropped 80%.
In its appeal to other tech companies, policymakers and others, Microsoft urged innovation as well as boots-on-the-ground support to shore up rural healthcare IT against growing cyber threats.
“Not only through foundational cybersecurity support but also innovation to address inefficiencies and cost drivers, IT skilling to ensure hospitals are prepared to manage these complex environments,” the company said in the report.
Collaboration and government intervention
“Governments in particular have a responsibility to stop attacks against hospitals,” Microsoft said in its whitepaper.
During his morning keynote at HIMSS25 on March 7, General Paul Nakasone, former director of the National Security Agency from 2018-2024, said he thought immediately of the results of the agency’s Cybersecurity Collaboration Center established in 2020 for Operation Warp Speed after he read Microsoft’s Rural Hospital Cybersecurity Landscape Report.
The center not only enabled the U.S. Health and Human Services to communicate with the Defense Industrial Complex and allow experts to exchange information, but through it, the NSA also provided scanning, secure email and protective DNS to participants.
“The number of intrusions in the defense industrial base dropped dramatically,” Nakasone said.
The cost of this security investment by the U.S. Department of Defense – $10 million a year – saved ten times as much as what intrusions would have cost, he said.
With no other critical infrastructure sector hit harder by ransomware than healthcare – at a cost of $1.9 million per day lost in revenue – Nakasone said similar government involvement could improve the cyber defense of the critical health sector.
“Why don’t we do the same thing with rural healthcare? Why don’t we do that with healthcare in general?” he said.
“Why don’t we figure out a way that we can provide major health providers and their subs, and everyone else that wants it, scanning and protective DNS and secure email to make the bar that much higher for attackers to come into?”
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.