Small hospitals and clinics emerge as big targets for cyberattacks

Ransomware groups have consistently tried to break into hospitals’ networks, and they aren’t just eyeing big health systems.

Increasingly, cyberattackers are going after smaller hospitals, industry leaders say. Ransomware groups are going after rural hospitals, federally qualified health centers, clinics, and other facilities with modest resources. The Health Sector Coordinating Council’s Cybersecurity Working Group outlined some of those threats in a May report sent to the White House and the U.S. Department of Health & Human Services.

Jennifer Stoll, the chief external affairs officer of OCHIN, a collaborative of hundreds of safety net organizations, said more rural hospitals and federally qualified health centers are suffering breaches.

“We're the least funded section of the delivery system, and we are the most vulnerable when it comes to cybersecurity,” Stoll tells Chief Healthcare Executive®.

“Everybody needs a lot of money to be able to support the cybersecurity infrastructure, because we are really facing a national crisis, which is a war against our healthcare providers every day, with bad actors domestically, but mostly abroad. And we just don't have the resources,” she says.

• Read more: What it’s like to negotiate with ransomware gangs

Security or staying open

Hundreds of healthcare organizations have suffered breaches in recent years. In 2024, there were 592 breaches of health data, and 259 million Americans were affected, according to John Riggi, national advisor for cybersecurity and risk with the American Hospital Association. Three out of four Americans were impacted by a breach of private health information last year.

Rural hospitals recognize that they are vulnerable to cyberattacks, but most don’t have the money or manpower to invest in strong defenses, says Jim Roeder, the vice president of information technology of Lakewood Health System, which operates a critical access hospital and several primary care clinics in Minnesota. He served as co-leader of the task force that produced the report on cyberattacks and smaller systems.

For smaller providers, Roeder says, “We could have a couple million dollars for cybersecurity, or we can get that CT machine that we need to bring in more revenue and keep the doors open. And so that's the constant battle that we face from our budget, when we have to go to the board.”

• Read more: Cybersecurity panel: How hospitals can protect their patients and their systems

At first blush, a small, 25-bed hospital in a rural community wouldn’t seem like it would be worth the time for a cyberattacker. But analysts say there are reasons why ransomware gangs would go after a rural hospital or a federally qualified health center.

First, even a small organization still has a great deal of private health information, which is very valuable to bad actors. And that’s also true of clinics and health centers serving neighborhoods where many have low incomes.

“Just because they're low resource communities doesn't mean that it's not great data to be able to hijack or steal,” Ochin says.

“Even if you're dealing with low income and underserved or rural communities, you know, it still creates havoc, and it still allows them to have a very powerful weapon, with lots of things that they can do for nefarious purposes,” she adds.

Federally qualified health centers aren’t being spared, she says.

“They have just as many breaches. They really do,” Ochin says.

Retired Army General Paul Nakasone, the former leader of the U.S. Cyber Command, warned of the growing risk of cyberattacks aimed at rural providers at the HIMSS Global Health Conference & Exhibition in March.

“These rural hospitals have limited funds, have limited capabilities, and they are often the target of ransomware actors,” Nakasone said.

Plus, ransomware groups know smaller hospitals are more likely to have less imposing defenses, so they reason they could get a payday with relatively low effort, experts say.

Limited staffing

Hospitals and health systems often are exposed to breaches involving many of the vendors they utilize for all sorts of business functions. Leaders of smaller hospitals are increasingly frustrated by the risks of attacks tied to vendors, and they are left wondering whether those vendors are staying up to date with software patches to address vulnerabilities. And smaller systems don’t have the staff to do some of the leg work to be sure vendors are doing what they should be doing.

In the cybersecurity report, Roeder says some hospital leaders expressed frustration that they have to take on all the risk involving vendors properly updating their systems. They want vendors to take more responsibility.

“If they want these devices to be put into healthcare systems, they have to be willing to patch them, support them, make sure they stay secure,” Roeder says.

Rural hospitals and health centers typically may have one person focused on cybersecurity, and sometimes even that individual is juggling other responsibilities.

While many hospitals struggle to find talented cybersecurity pros, it’s especially difficult for rural hospitals.

Roeder says it’s difficult to “find people that have the knowledge that want to work in healthcare in a rural area.”

Some hospitals and health systems have allowed cybersecurity staff to work remotely, which helps to a degree, he says. But that’s a bit of a double-edged sword, because cybersecurity pros living in rural areas don’t necessarily have to work at the local hospital.

“It kind of hurt us, because these people with that knowledge all of a sudden can work for bigger companies elsewhere, too,” he says.

‘It’s also patient safety’

Hospital cybersecurity leaders have stressed that breaches have costs beyond the bottom line and even reputational damage. Cyberattacks threaten the safety of patients, particularly when attacks succeed in knocking electronic health records offline and disrupting vital systems.

“Cybersecurity for one is cyber security for all, and it's also patient safety,” Stoll says.

Cybersecurity leaders are also talking more about the “blast radius” of a breach, because an attack at one hospital can force patients to be transferred to other facilities.

But the risks to patient safety may be magnified at smaller hospitals, particularly those in rural areas. In plenty of rural areas across the country, a small, community access hospital may be the only hospital within an hour or more.

If an attack happened at Lakewood Health in Minnesota, Roeder says patients may have to go to another facility that may be an hour or two away.

“We got to try and hope they have room for these patients,” Roeder says. “And you know, we have two ambulances. How do you get them there? How do you transport them there in a timely manner?”

That vulnerability for rural providers makes them a target. As Stoll notes, some rural communities may not have another hospital within 150 miles. And that puts rural hospitals in a terrible position when an attacker gets into their system in hopes of a payday.

“If you have a gun to your head, because they've got all your data and they've frozen your system, you're down,” Stoll says. “And you are creating a real vulnerability in terms of patient care.”

Stoll, Roeder and other advocates for federally qualified health centers and rural hospitals stress that those facilities are going to need more federal funding to defend against cyberattacks.

The federal government is looking to impose tougher requirements on hospitals to maintain certain cybersecurity standards, and healthcare leaders say smaller facilities are going to need more help.

“It's really different, and we have to think differently about the needs of those that have the least amount of resources,” Stoll says.