Rural hospitals in US need to invest at least $70 million in cybersecurity, Microsoft finds

The average rural hospital would need to spend tens of thousands of dollars to address their cybersecurity vulnerabilities, Microsoft estimates.

In a white paper published on Wednesday, the tech giant said the cost to mitigate basic cyber risks across all of the approximately 2,100 rural hospitals in the U.S. would be $70 million to $75 million. Each hospital would on average need to spend between $30,000 and $40,000.

The findings, conducted as part of the Cybersecurity for Rural Hospitals Program, result from assessments done at more than 250 rural hospitals. More than 500 hospitals signed up for the program, which was launched last year and offers free security assessments and trainings. 

“The need to support rural hospitals is immense. These hospitals are often the only healthcare option for over 50 miles in the communities they serve,” said Kate Behncken, vice president of Microsoft Philanthropies.

“A cyberattack that disrupts care for weeks or months in these isolated settings can have a devastating impact and endanger human lives.”

The company found that more than 62% of rural hospitals struggle to implement basic email security, multifactor authentication and network segmentation. 

Just 43% of the surveyed hospitals ran vulnerability scanning or conducted timely patching processes while only 29% separated basic accounts from more privileged accounts with broader system and data access. 

Behncken warned that ransomware attacks continue to be the primary concern for rural hospitals because of the disruptions to patient care and inability to pay ransoms compared to larger hospital networks. 

Ransomware attacks often “represent a tipping point toward closure, impacting not just the hospital, but the communities they serve with potentially life-threatening consequences,” she said. 

On Wednesday, Whitman Hospital & Medical Clinics — one of the few hospitals in eastern Washington state — warned that its electronic systems are still down because of a February 28 cyberattack that continues to cause delays in service. 

Most of the approximately 1,000 independent rural hospitals that are not part of a larger hospital network or system face significant financial hurdles making it difficult to cover the costs needed to address cybersecurity lapses. 

Microsoft said the initial response of rural hospitals to the program “has exceeded projections, reflecting the level of need in rural hospitals.”

“Most rural hospitals do not have a robust cybersecurity training and awareness program that educates the users on the types of cybersecurity risks there are most likely to experience,” Microsoft said. “With some of the most common attack vectors being social engineering, this leads to a major security gap not just for the hospital, but for the employees, and awareness of security risks in their personal lives.”