Rural hospitals are particularly vulnerable to ransomware, report finds

The most vulnerable hospitals are unprepared to deal with the impact of digital extortion as ransomware attacks target health care facilities.
A broken piggy bank with a stethoscope. (Getty Images)

As health care providers continue to get hammered by ransomware, a new report from an influential think tank warns that rural hospitals are likely to be hardest hit by such attacks unless the industry makes major cybersecurity investments. 

The study from CSC 2.0, an offshoot of the Cyberspace Solarium Commission, finds that whether the U.S. health care sector will be able to protect itself against future cyberattacks hinges largely on how much — or how little — funding Congress will allocate to address the issue. 

“This does come down to money and in a lot of the cases it’s about federal funding,” said Annie Fixler, a co-author of the report and the director of the Foundation for the Defense of Democracies’ Center on Cyber and Technology Innovation. “There’s some things we can do without Congress, but a lot of this stuff does come down to funding.”

The threat facing U.S. health care systems is no longer theoretical, with several important health care providers getting hit by ransomware attacks in recent months. 


In May, hackers hit one of the United States’s largest health care providers, Ascension, which runs 140 hospitals across 19 states. That attack disrupted the availability of health records and systems needed for medical procedures and the provision of medication across the nation. In February, a ransomware attack on the payment processor Change Healthcare impacted patient care at nearly three-quarters of all U.S. hospitals, with more than half of all facilities reporting serious financial impact, per Tuesday’s report.

The report notes that the majority of rural hospitals are considered “critical access,” which refers to a 24/7 facility that provides fewer than 25 beds and is at least 35 miles from another hospital. The concept seeks to capture regional health care scarcity, and hospitals that meet the criteria usually service populations that are older, sicker, poorer and more often uninsured, all while operating on tighter budgets. 

When hit by a ransomware attack, the consequences can be particularly devastating for such facilities and their patients. 

“The biggest threat from ransomware though, we believe, is the increase in time it takes for patients to receive emergency care. For some medical complications such as cardiac arrest, mere minutes can be the difference between life and death,” said Michael Sugden, a co-author of the report and a research analyst and editorial associate at FDD. “And if a facility is affected by ransomware and cannot treat time-sensitive conditions like this, patients may need to be rerouted to alternative facilities — that additional time can be catastrophic.” 

The report notes that determining the human toll of ransomware on health care systems is difficult, as the sector records medical causes of death, not availability of health records or inoperable equipment due to a cyberattack.


The report suggests that the federal government develop new long-term sector-specific cybersecurity objectives, work with the health care industry to identify the most vital services and create a road map to segment those networks. The report recommends increasing funding for the Department of Health and Human Services, which is charged with overseeing and protecting the industry from threats, and charges the Government Accountability Office with auditing the agency to determine resourcing needs or changes to its structure. The report also recommends additional funds directed to resourcing HHS’s cyber performance goals and incentive programs, and establishing a pilot rural virtual chief information security officer program for facilities that can’t afford a full position.

The report also recommends updating the entities in the health care sector that are included on the list of so-called “systemically important entities” maintained by the Cybersecurity and Infrastructure Security Agency. That recommendation is inspired by the fact that Change Healthcare was not on that list, despite the severe consequences of the attack on the sector. 

The report urges industry to make some basic investments into cyber hygiene training for employees and encourages underfunded facilities to engage managed IT service providers that can outsource work to part-time cyber defenders. Additionally, the report calls on health care providers to develop contingency plans for patient care if a facility is targeted by ransomware so service disruption is kept to a minimum.

Citing a 2021 survey in which 73% of respondents reported using legacy operating systems, the report notes that health care providers are made more vulnerable by their reliance on older computer systems. Health care providers also suffer from a large attack surface, with hospitals, for example, running hundreds of medical devices, numerous computers for reviewing and updating medical records, water and wastewater treatment facilities and other operational technology — all of which could be a way in for hackers.

While the Biden administration has highlighted the combating of ransomware as a key national security priority, attacks are only increasing, with 50 new malware variants appearing within the past year, according to new research by the Google-owned cybersecurity firm Mandiant.


The FBI’s 2022 Internet Crime Report found that the health care and public health industry experienced more ransomware attacks than any of the other 16 critical infrastructure sectors.A survey of 600 health care organizations found that around 70% of those that faced a ransomware attack said the incident led to longer hospital stays and delayed services, with 22% experiencing increased death rates.

Latest Podcasts