In an increasingly complex cyber landscape, rural and small community hospitals are grappling with mounting cybersecurity threats, according to Jackie Mattingly, senior director at Clearwater, a consulting firm specializing in privacy and security. Faced with shrinking resources and staffing deficits, these hospitals are particularly vulnerable to sophisticated cyberattacks.
Mattingly highlights the significant overreach on the part of hospital IT directors, who often find themselves juggling multiple roles, from managing help desk operations to overseeing electronic health record (EHR) systems. This multitasking leaves little room for proactive cybersecurity measures, as they are primarily occupied with day-to-day operational duties.
Unfortunately, the financial outlook for these healthcare institutions is also bleak. In the coming year, many are expected to receive lower Medicaid payments, further constricting their already limited cybersecurity resources. “They’re really feeling a lot of pressure,” Mattingly noted, emphasizing the urgent need for these entities to elevate cybersecurity on their agendas.
To effectively combat these challenges, leadership at these hospitals must integrate cybersecurity discussions into regular management conversations. Mattingly, a former Chief Information Security Officer (CISO) for a rural hospital in Kentucky, asserts that IT must transition from a ‘backseat’ role to a more prominent position in decision-making processes. Establishing a culture of collaboration in this domain is critical.
In a recent interview, Mattingly shed light on the broader ramifications for the healthcare system when rural and small community hospitals suffer from cyberattacks. The repercussions extend not just to the affected institutions but also to the overall healthcare ecosystem, as they often serve as essential providers for a community’s health needs.
Moreover, she addressed the struggles some of these hospitals encounter in accessing free cybersecurity resources and tools offered by federal agencies like the Cybersecurity Infrastructure and Security Agency. The 2024 ransomware attack on United Healthcare’s IT service unit, Change Healthcare, exemplifies ongoing vulnerabilities, with effects rippling into 2025 and beyond for numerous small hospitals.
Mattingly’s expertise is rooted in over 20 years of experience in healthcare IT, with the past decade focused on information security. As an active participant in several healthcare cybersecurity organizations, she aims to empower regional and community hospitals to enhance their cybersecurity posture.
In an environment where threats are continually evolving, the integration of robust cybersecurity initiatives is not merely advisable but essential for safeguarding patient data and maintaining operational integrity in rural and community healthcare settings.
As these hospitals navigate the complexities of modern cyber threats, leveraging the MITRE ATT&CK framework can be particularly beneficial in identifying potential adversary tactics, such as initial access through phishing, persistence via backdoors, and privilege escalation to gain admin rights. By gaining a clearer understanding of these tactics, hospitals can better defend against potential breaches and foster a more resilient healthcare infrastructure.
