Mitigating Cybersecurity Threats in Rural Hospitals through RCM Partnerships 

In 2024, cybersecurity in the health sector broke records for all the wrong reasons. The Department of Health and Human Services reported more than 650 major health data breaches that impacted over 182 million people. The threat of more cybersecurity incidents has become a critical concern for healthcare facilities of all sizes.  

Rural hospitals, however, face unique challenges and levels of impact when it comes to a cybersecurity incident, up to and including the risk of closure. Due to several factors including potential use of old technology, smaller operating margins and a lack of manpower, rural hospitals are particularly vulnerable to cyber-attacks, including their ability to respond in a strong and timely manner.  

These institutions play a vital role in providing healthcare to communities that are often underserved. But they don’t have the ability to invest millions to protect themselves from cyber threats. Fortunately, there are many things they can do to lower their risks.  

The financial and operational impact of a cyberattack

Cyberattacks can have a significant financial impact on rural hospitals. The costs associated with responding to a cyber incident, including hiring external cybersecurity experts, restoring compromised systems and addressing regulatory fines, can be overwhelming for facilities with limited budgets.  

Regarding operational impact, the consequences can be far-reaching, as research published by the University of Minnesota recently found. First, operational disruptions caused by a cyberattack can lead to lost revenue, as patients may seek care elsewhere. But operational disruptions can also lead to significant access challenges for the more than 60 million Americans who rely on a rural hospital.

The ability to access health services is a far greater challenge in rural areas where individuals, who are often older with pre-existing conditions, may be hours away from another health facility. The research found that if a rural patient needed to travel to a different facility due to a cyber event, the travel time was more than three times higher than for urban patients. While cyberattacks are more likely to occur in urban areas, the impact on rural hospitals is more devastating.  

The expensive but necessary investment in cybersecurity

Several rural health leaders recently sat down with R1 to discuss cyber threats, and they all echoed the same sentiment: it is a critical investment. Siri Nelson, president and CEO at Marshall Medical Center in California emphasized the importance of prioritizing investments in cybersecurity. “Investing in cybersecurity is essential for prioritizing patient care,” she said.  

She also talked about the important steps rural hospitals should take in prioritizing cybersecurity functions, starting with an assessment. “We started with a complete assessment of where we were. We looked at our weaknesses and what we needed to focus on and really tried to invest the money where it made the most sense,” Nelson said. 

However, for many rural hospitals, finding the funds to make these investments can be a significant challenge. Amy Cooper, COO at Mind Springs Health and West Springs Hospital in Colorado, suggests that rural hospitals look at the costs of cybersecurity measures compared to the potential costs of a breach. She said that while the investment in cybersecurity might not provide immediate returns on investment, it is crucial for protecting patient data and maintaining trust.  

Cooper also considers cybersecurity a regular expense of doing business. “Because cybersecurity is a necessity, we factor the cost into our budget similar to any other operational expense.”

Vigilance, education and continuous monitoring

Many cyber incidents originate from human error, such as an employee clicking on a phishing link or responding to a suspicious email. One of the best ways to prevent a cybersecurity incident is through staff education. In fact, one report stated that cybersecurity risks can be reduced from 60% to as low as 10% with a good training program. As cyber threats continue to evolve and threats grow stronger, healthcare facilities must stay up to date with the latest security protocols and best practices. This includes regularly updating software and systems, conducting routine security audits and providing ongoing training for staff. 

Wayne Henley Gillis, President and CEO of Rehoboth McKinley Christian Health Care Services, agrees that vigilance and staff education are key. “We started grassroots,” he said. “We dove into a lot of ground up education and did it frequently. It doesn’t cost much, but the savings on the backend has been massive.” By fostering a culture of cybersecurity awareness, rural hospitals can empower their staff to recognize and respond to potential threats effectively. 

To help reduce cyber threats, Mick Palmer, deputy chief information security officer at R1, offers three suggestions: 

1. Ensure operating systems are kept up to date. Continuous monitoring of operating systems includes performing regular patch updates from software developers as soon as they become available.
2. Limit access control. Limit the number of people who have access to specific data, resources and applications by granting only the minimum access needed to perform a job function.
3. Eliminate unnecessary electronic services or software packages. Remove all non-essential technology and retain only the necessary tools and software needed. 

Managing cybersecurity risks with vendors

Another critical aspect of cybersecurity for rural hospitals is managing risks associated with third parties. When selecting partners and vendors, Palmer advises considering an organization’s industry reputation and SOC 2 certifications to gauge their cybersecurity compliance. He says it’s also crucial to include contract language that holds them to the expected standard.  

As cybersecurity is now top of mind for most hospital leaders, many are now shifting their mindset and talking about cybersecurity considerations early when choosing a vendor or partner. “Whether we’re buying equipment or looking at a system integration, we’re having security conversations early,” Gillis told R1. 

The role of revenue cycle management (RCM) partnerships

Partnering with a reputable and secure revenue cycle management (RCM) company can provide an extra layer of cyber protection as they often have dedicated cybersecurity teams and advanced tools that may not be readily available to smaller hospitals. As these companies heavily invest in cybersecurity, they can help mitigate risks associated with third-party access and ensure that sensitive data is transmitted securely using encrypted methods and modern, trusted technology. 

Furthermore, if there is the unfortunate event of a cyber incident, a reputable and prepared RCM partner can provide crucial support. While they may not directly aid in a system’s technical recovery, they play a vital role in account resolution, an endeavor that is very challenging for hospitals to manage independently. There have been instances where hospitals, still grappling with claim processing 18 months post-incident, are met with payer refusals due to excessive delays. An RCM company can offer invaluable support in navigating these financial challenges brought about by a cyberattack.  

When choosing an outsourcing partner for RCM services, it is crucial for rural hospitals to select one that prioritizes cybersecurity. This ensures they can benefit from the partner’s expertise and resources, ultimately leading to a more secure and resilient healthcare environment.  

Robust cybersecurity measures are indispensable for maintaining smooth operations, ensuring patient safety and safeguarding the financial stability of healthcare institutions. By taking proactive steps to address cybersecurity risks, rural hospitals can continue to provide high-quality care to their communities, even in the face of evolving cyber threats.