It will cost upward of $75 million to address the cybersecurity needs of rural US hospitals, Microsoft reckons, as mounting closures threaten the lives of Americans.
Hospitals are routinely targeted by cybercriminals because system availability is acutely linked to mortality rates, and rural facilities are often the least secure with 93 percent of malicious activity stemming from phishing and ransomware.
When attacks strike, Microsoft research suggests 20 percent of hospitals experience increased patient mortality following a cyberattack, and when rural hospital numbers are declining rapidly, patient outcomes are also affected by having to travel farther to receive the required care.
Microsoft said it would cost an estimated $30,000 to $40,000 per rural hospital to raise its security posture to basic standards. This would include implementing MFA, unified identity management, and separating user and privileged accounts so that the most common attacks could be largely mitigated.
Of the approximately 2,100 total rural hospitals in the US, around 1,000 of these are truly independent – not part of a healthcare network that can roll out security solutions and policies across multiple facilities. These are often the least secure healthcare providers in the country and ensuring they’re protected against the most-exploited vulnerabilities would cost around $40 million to $45 million, per Microsoft’s analysis. To do the same across all 2,100, it would cost between $70 million and $75 million.
That cost pertains only to the near-term cybersecurity issues affecting rural US hospitals, but a long-term solution would require work between security vendors, policymakers, and healthcare decision-makers, and likely a great deal more investment.
Rick Pollack, president and CEO at the American Hospital Association, said: “Cybersecurity is a top priority for America’s hospitals and health systems. It is also a shared responsibility … It’s no secret that many rural hospitals across America are struggling as they serve as a healthcare lifeline in their communities, so keeping them safe is essential.”
Pollack’s comments came in June 2024, at the launch of Microsoft’s Cybersecurity Program for Rural Hospitals, through which this latest report was published.
Rural hospitals serve approximately 46 million US citizens, or about 14 percent of the country’s population. Between 2010 and 2017, they were also closing at an alarming rate of roughly one per month.
In 2020 and 2021, 136 closed, and as of 2022, 429 were at high financial risk of shutting down too. Having fewer patients but the same high fixed costs as urban hospitals means that available funds are often tight for rural facilities, so maintaining their viability is a tall order.
US government data shows that when rural hospitals close, patient mortality is threatened. Individuals have to travel 20 miles further for common services on average, and 40 miles further for specialized treatments, which can adversely affect patient outcomes when it comes to conditions such as heart attacks and strokes.
With less money to spend, hospitals often have lower-skilled staff, including IT specialists. When there isn’t any money to pay top talent, or purchase the necessary security solutions, it makes for a vulnerable hospital.
The US healthcare sector is battered by cyberattacks every year. In 2023, it was the leading sector affected by ransomware as attacks surged 130 percent, according to FBI figures.
With the average cost of a data breach in the sector at $10.9 million, successful attacks on rural hospitals impose an unsustainable financial burden on already cash-strapped organizations.
How to raise the alarm?
The unfortunate truth is that more cyber calamities might be needed – as if there weren’t already enough – to force key decision-makers into enacting meaningful change.
Professors at Lancaster University recently conducted extensive interviews with infosec veterans, who acknowledged that staff are often the weak links enabling attacks. They suggested better education could provide the impetus to implement the meaningful change the industry needs, like wider deployment of MFA, and so on.
Generally speaking, staff are already called on to consider the consequences of a breach to their employer and their business partners elsewhere in the supply chain, but security pros believe that educating them on the wider practical effects that can arise from an attack could help improve protections.
One interviewee recounted an experience with an attack on a major UK food supplier: “They made a massive amount of food in the UK. They weren’t very mature at the time, so it wiped them out pretty much for a couple of days. To the point if they had gone much further than the point that they did, it would have to go to a national [emergency] meeting to discuss how there’s going to be gaps on the food shelves across the UK.
“So it’s trying to get that understanding. They never thought they were going to be sort of targeted for a cyberattack, but they were. They lost a massive amount of our operational capabilities. That is the kind of impact that it could have.”
Stories like that, combined with the recent case of a cancer patient facing a tragic dilemma following the Qilin ransomware assault on a London hospital, should be included in awareness training, experts argue. ®