Microsoft highlights cybersecurity crisis in rural hospitals, urges enhanced measures to bolster healthcare resilience
Microsoft published a new white paper that shares insights gained over the past year, focusing on the current cybersecurity landscape for rural health and the role technology companies can play. It explores the current state of rural hospitals, the unique cybersecurity threats they face, and the role technology companies can play to address the immediate cyber risk and broader systemic challenges facing rural hospitals today.
The white paper observed that ransomware attacks pose a particular threat to hospitals, which are frequently targeted by both financially motivated cybercriminals and nation-state threat groups. “Hospitals often pay ransoms to avoid patient care disruptions, and malicious actors exploit this reality. Moreover, these types of incidents surged by nearly 130% that year, according to reporting from the Office of the Director of National Intelligence (ODNI), on an already high baseline following COVID-19.”
Additionally, the rise of the ‘ransomware-as-a-service’ (RaaS) ecosystem, where cybercriminals rent or sell their tools for a portion of the profits, has industrialized the cybercrime economy. This makes it easier for malicious cyber actors to use ready-made tools for their attacks.
The rural health sector serves nearly 14 percent of the U.S. population but is experiencing financial and operational challenges. With outdated technology and limited resources, they have become prime targets for cyberattacks. Rural hospitals often represent a unique opportunity for bad actors to exploit vulnerable, aging systems that house highly sensitive and valuable patient data. Studies have shown that small healthcare providers with under 500 employees suffer disproportionately compared to the broader healthcare sector.
“With the release of today’s white paper, we hope to increase awareness and understanding of these issues and drive more collaboration between technology companies, policymakers, and healthcare providers to enhance the cybersecurity resilience of rural hospitals,” Kate Behncken, corporate vice president for Microsoft Philanthropies and Erin Burchfield, senior director for Technology for Social Impact, wrote in a recent blog post. “In the coming months, Microsoft will continue to expand efforts to support rural hospitals, ensuring they have the tools and resources needed to mitigate cyber threats and enhance their overall resilience.
They added that “leveraging AI for greater efficiency—by streamlining and automating some hospital processes—is just one way we are looking to provide support. By addressing both immediate cybersecurity risks and broader systemic challenges, we can help ensure that rural hospitals remain a vital part of the healthcare ecosystem, providing essential services to millions of Americans.”
Last year, Microsoft launched its Cybersecurity for Rural Hospitals Program, an initiative designed to help protect access to healthcare for the 46 million people living in rural America. The program aims to address both the immediate cyber risks confronting these vital community resources and the broader systemic challenges facing rural health. Funded through a philanthropic investment, the program now has more than 550 rural hospitals, nearly one-third of all US rural hospitals, participating to receive free cybersecurity assessments, cybersecurity training, Microsoft security product discounts, and AI solutions designed to promote hospital resiliency.
“Among the most sophisticated financially motivated threat actors targeting healthcare is a group tracked by Microsoft as Vanilla Tempest,” Microsoft identified in the white paper. “Active since July 2022, they use INC ransomware procured through RaaS providers to target U.S. healthcare, employing ‘double extortion’ to demand ransom for unlocking systems as well as prevent the release of stolen data. Other threat groups include Lace Tempest, Sangria Tempest, and Cadenza Tempest, each using various tactics like RaaS and double extortion.”
Threat actors often breach systems through phishing emails, exploiting outdated software, and leveraging weak network security. Critical systems such as electronic health records, patient management systems, and medical devices are frequently compromised.
In a Microsoft analysis of 13 hospital systems, including rural hospitals, 93 percent of malicious activity was related to phishing campaigns and ransomware, with most activity represented by email-based threats. These threats are among the most common entry points for stealing credentials or deploying malware leading to additional attacks. Attackers often exploit poor credential hygiene and legacy configurations to find easy entry points, oftentimes making rural hospitals with aging IT systems and limited resources an easy target.
These rural hospital networks are also vulnerable to nation-state actors seeking strategic gain and posing a risk to national security. Government-sponsored hackers have used ransomware and collaborated with ransomware groups on tooling for espionage purposes.
“Suspected Chinese government threat actors use ransomware tactics as a cover for espionage or disruption activity,” the whitepaper said. “Iranian threat actors have also been active targeting healthcare organizations. In August 2024, U.S. government agencies alerted the healthcare sector of Iran-based threat actor Lemon Sandstorm, which leveraged unauthorized network access to U.S. healthcare organizations to facilitate, execute, and profit from ransomware attacks by apparently Russian-affiliated ransomware gangs.”
The white paper observed that Microsoft’s work in detecting, assessing, and disrupting actors like Vanilla Tempest and other financially motivated threat actors is a critical part of limiting the worst offenders’ attacks; however, there is more work to be done supporting rural health by mitigating threats at the source. “In 2025, Microsoft will focus efforts on stopping actors who seek to attack vital institutions, including health providers. Governments, in particular, have a responsibility to stop attacks against hospitals. Governments have committed to stop all cyberattacks on hospitals, healthcare, and medical research facilities, and on medical personnel and international public health organizations. It is time they finally do so and punish malicious actors who violate those rules.”
Microsoft noted that it is not uncommon for hospital systems to be down for weeks following an attack, with the reported average downtime being 18.7 days. Although providers can revert to paper processes, this adds risk and cost to daily operations. From a patient care perspective, hospitals dealing with a cyberattack face delays in diagnosis and treatment due to a lack of access to diagnostic data. Non-emergency appointments and elective procedures are likely to be postponed or canceled.
In addition to the disruption of medical services, patients can also suffer less visible impact, including acute stress from being in this type of situation or psychological trauma and a sensation of powerlessness from having private information stolen and potentially exposed by criminals. Also, recovery from cyberattacks, including expenses related to ransomware payment, system restoration, and service disruption, is often very costly.
The Microsoft Cybersecurity Program for Rural Hospitals program witnessed an overwhelming response, surpassing initial expectations and highlighting the critical demand for enhanced security in rural hospitals. Since its inception, over 550 rural hospitals nationwide have enrolled in the program. Of these, more than 375 hospitals are actively engaged in cybersecurity assessments funded by Microsoft. Furthermore, close to 1,000 individuals have participated in specialized cybersecurity training designed specifically for hospital frontline and IT staff, ensuring they are well-equipped to handle potential threats.
In coordination with its cybersecurity partners FSi Strategies and MorganFranklin Cyber, Microsoft collated findings from over 250 completed assessments from rural hospitals across the U.S. The analysis identified areas of greatest vulnerability and risk.
Preliminary data highlights significant cybersecurity vulnerabilities in rural hospitals, particularly in areas like basic cybersecurity practices (e.g., email security, multi-factor authentication, network segmentation, and vendor requirements), vulnerability scanning and patching, and privileged account management. Many rural hospitals lack the resources and expertise to implement robust cybersecurity measures, with only 29 percent adequately managing privileged accounts and 37 percent excelling in endpoint management. Additionally, training and awareness programs are often insufficient, leaving staff vulnerable to social engineering attacks.
Innovation and AI can play a critical role in addressing these challenges and alleviating operational and financial burdens. Generative AI, for instance, can streamline workflows, reduce administrative tasks, and provide clinical insights, freeing up resources for other priorities. Rural hospitals face unique financial struggles, including lower patient volumes, higher fixed costs, and reduced reimbursement rates due to complex insurance rules and claim denials. These factors collectively strain their viability, making technological solutions like AI essential for improving both cybersecurity and operational efficiency.
The Microsoft white paper also highlighted that a critical area where technology companies can provide significant support to rural hospitals is in IT skilling, particularly in cybersecurity and AI. As of 2020, approximately 59 percent of cybersecurity teams across various sectors, including healthcare, were understaffed. This shortage is especially pronounced in hospitals, where filling cybersecurity roles can take up to 70% longer compared to other IT positions.
A study by Black Book, reported by Becker’s Health IT, revealed that 75% of Chief Information Security Officers (CISOs) surveyed believe experienced cybersecurity professionals are unlikely to pursue careers in healthcare due to the heightened risks and potential repercussions following a cyberattack. By offering targeted training and upskilling programs, tech companies can help bridge this gap, empowering rural hospitals to build stronger, more resilient cybersecurity teams.
Addressing the challenges facing rural healthcare demands a multifaceted approach, with active collaboration and support from both the public and private sectors. To combat the acute and escalating cybersecurity risks confronting rural hospitals, often described as ‘target rich, resource poor,’ immediate action and resource allocation are essential. This must be paired with a broader strategy focused on hospital resilience, driven by innovation and strategic partnerships.
A critical first step is fostering a shared understanding of the severity and urgency of these issues to galvanize funding and support. A holistic approach to hospital resilience, encompassing financial viability, resource allocation, and capacity-building, is the only way to ensure these vital institutions remain operational and sustainable in the long term.
The white paper noted that addressing basic cyber hygiene through tools and polices such as MFA (multi-factor authentication), unified identity management, and separation of user and privileged accounts can address many high-probability pervasive risks. Also, a one-time remediation of the most critical cybersecurity risks to rural hospitals is critically important to help hospitals stay as safe as possible in the near term. However, this stop-gap measure is not entirely sufficient. It also identifies a compelling need for the healthcare industry, policymakers and funders, and technology companies to bolster resourcing and innovation across rural areas.
In conclusion, Microsoft identified that rural hospitals are vital points of care for millions of Americans and a cornerstone in rural communities. Unfortunately, cybersecurity is a growing threat to their overall viability. There is an urgent need for both immediate and sustained support for these essential institutions.
“Microsoft envisions, through collaboration with the private sector and public sector partners, a near-term targeted effort, coupled with broader remediation as well as sustained support to ensure long-term rural hospital resilience,” the white paper added. “Through this partnership and sustained commitment to rural America, we can take action at an unprecedented scale and speed to mitigate cyber risk, drive innovation, and ensure both rural hospitals and the Americans they serve are resilient into the future.”
link
