Angela lived with COPD for years. During flare-ups, her small hometown hospital was her lifeline — its staff knew her history, and its electronic medical record system ensured her care team had immediate access to her ePHI. But in early 2023, that hospital closed due to financial strain and staffing shortages. The nearest hospital was 45 minutes away, and during her next crisis, delays, repeated tests, and missing records complicated her care.
Over the following months, Angela’s care fragmented further. The regional hospital that stabilized her also shut down — this time under pressure from a ransomware attack that disrupted operations and revenue cycles. With no local hospitals left, Angela bounced between clinics, retelling her story and carrying test results by hand. Even when a new hospital reopened in her hometown, her medical history didn’t make the transition. Continuity was lost, and the risk to her health — and her data — grew with every handoff.
Angela’s story is fictional, but the crisis is real. In 2023, two rural Illinois hospitals closed after a ransomware attack hampered operations for over 14 weeks. Though one later reopened under new ownership, the shift raised fresh concerns about ePHI security and system transitions. Across the U.S., nearly 700 rural hospitals are at risk of closure. When they shut down, the impacts cascade: broken continuity, delayed care, and increased cyber risk in every new system a patient must navigate.
How rural hospitals can protect patient care – and the data behind it
Even with limited resources, rural hospitals can take meaningful steps today to protect patient care and strengthen resilience, including the following:
1.Conduct a HIPAA-compliant, asset-based risk analysis.
A comprehensive asset-based risk analysis is the foundation of a strong cybersecurity program.
- Identifies where ePHI lives, who accesses it, and which vulnerabilities could compromise care.
- Meets Security Rule’s standards, aligns with OCR expectations, and provides a prioritized roadmap to protect both patient care and sensitive data.
Without it, hospitals remain blind to threats that jeopardize patient safety and data security.
2. Use 405(d) practices to establish your baseline
The Health Industry Cybersecurity Practices (HICP) framework, published under 405(d), offers practical safeguards specifically designed for resource-constrained hospitals. It’s a great starting point to assess current maturity and close gaps that could impact patient care.
- HICP provides actionable practices to help small hospitals prioritize essential controls for secure, uninterrupted operations.
Without a 405(d) baseline, small hospitals risk overlooking critical safeguards that protect systems and ensure continuity of care.
3. Secure basic cyber hygiene to protect care delivery.
Basic cyber hygiene is critical to preventing the most common attacks. Without these essentials, hospitals risk system outages that directly disrupt patient care.
- Install endpoint protection.
- Filter email for phishing and malware.
- Secure remote access for staff and vendors.
Skipping these basics leaves critical systems vulnerable—threatening patient safety, operations, and data security.
4. Review vendor access and data sharing.
As services shift to external partners, ePHI often follows – creating new exposure points that can disrupt care if vendor security isn’t airtight.
- Validate business associate agreements for HIPAA compliance and confirm vendors have strong security practices to reduce risks and protect patient data.
- Map sensitive data flows to avoid unmonitored transfers and unexpected exposures.
Unstructured methods like email, fax, or USB can introduce unnecessary risk.
5. Continuously monitor for threats to safeguard patient care.
Cyber threats evolve daily. Continuous monitoring enables hospitals to detect and respond quickly-before an incident disrupts critical systems or exposes sensitive information.
- Leverage managed services to fill gaps when in-house resources are limited.
- Monitor system activity in real-time to maintain visibility and control.
- Respond to alerts immediately to contain potential breaches.
- Ensure compliance with HIPAA expectations for visibility and incident response readiness.
Stopping threats early keeps critical systems running, protecting sensitive data, and ensures patient care remains uninterrupted.
6. Engage leadership to strengthen resilience.
Cybersecurity isn’t just an IT responsibility—it requires active involvement from leadership at every level to protect patients and ensure operational continuity.
- Treat cybersecurity as a hospital-wide responsibility by embedding it into governance and decision-making.
- Engage the board, executives, and clinical leaders in meaningful risk discussions.
- Use plain language to link cyber risk to patient safety, financial stability, and operational continuity.
When leadership champions cybersecurity, teams follow their lead—closing gaps attackers are quick to exploit.
7. Develop a phased and realistic improvement plan.
A strong cybersecurity program doesn’t happen overnight. Rural hospitals can make steady progress by focusing on high-impact actions that align with their resources and capabilities.
- Use your risk analysis to map out a multi-year strategy.
- Prioritize the highest risks for the greatest impact.
- Match priorities to your available funding, staff, and technical capacity.
- Tackle improvements that protect the most data with the least lift.
Skipping this step spreads resources thin and leaves critical gaps attackers can exploit.
Protect patient care, especially when care delivery changes
When a hospital closes — even temporarily for ransomware recovery — it often forces care transitions that send patient data across new systems and providers. Hospitals may need to shift services to new vendors, refer patients to external clinics, and share ePHI across unfamiliar systems.
If these transitions aren’t managed carefully, visibility into ePHI can disappear, creating new access points attackers are eager to exploit.
There’s a way forward. Start with a HIPAA-compliant, asset-based risk analysis to uncover where data lives, who accesses it, and what vulnerabilities could compromise care. Prioritize the security basics. Train your staff. Engage leadership. Develop a phased plan that safeguards patients and their data through every disruption.
Potential closures create pressure. Poor planning magnifies risk to care, compliance and patient trust.
Photo: The best photo for all, Getty Images
Jackie Mattingly is a Senior Director of Consulting Services at Clearwater, focused on serving the cybersecurity and compliance needs of regional and community hospitals. She has more than 20 years of experience in health care IT and has spent the last decade in information security, including serving as Chief Information Security Officer for Owensboro Healthcare in Kentucky. Jackie is a board member of the Association for Executives in Healthcare Information Security (AEHIS) contributing to the advancement of health care information security professionals and also a board member for the Women in CyberSecurity Healthcare (WiCyS Healthcare) contributing to reshaping the social and technical landscapes of our critical health systems. She also serves as Adjunct Faculty Instructor for the University of Southern Indiana (USI), helping to educate the next generation of health care privacy and security professionals.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.
