As journalists and experts analyze the impact of the “One Big Beautiful Bill,” which includes more than $1 trillion in cuts to Medicaid and the Affordable Care Act, one area to follow is cybersecurity resources for small and rural hospitals.
Two senators made headlines recently for asking the Trump administration to share its plans for boosting cybersecurity for vulnerable medical centers. In a July 21 letter to HHS Secretary Robert F. Kennedy Jr. and CMS Administrator Mehmet Oz, Sens. Ron Wyden (D-Ore.) and Mark Warner (D-Va.) expressed their alarm at the potential “negative impacts of Trumpcare on the cybersecurity resiliency of rural hospitals.” They noted that over 330 rural hospitals — already financially vulnerable — “will be forced into making impossible choices in order to stay open, continue to serve the health care needs of patients, and employ large swaths of rural communities.”
“Rural and small hospitals already struggle to find the necessary funds to invest in cybersecurity defenses to protect patient information or computer systems and other infrastructure used to deliver health care,” they said. These facilities weigh “challenging tradeoffs” when considering resources needed to replace aging technology systems and train staff. They are less likely to have dedicated professionals to respond to vulnerabilities and breaches.
Rural hospitals have been frequent targets for cybersecurity attacks due to their limited resources and tendency to rely on outdated technology. Hackers know that hospitals have “troves of valuable patient data and weak infrastructure to protect this medical information from theft,” the senators wrote in their letter. They are also aware that hospitals are likely to pay a ransom to protect the data and minimize disruptions to daily operations, especially in areas with a shortage of health care providers.
Concerns before legislation passed
Before the budget bill was signed, some 16% of 187 leaders at small and rural hospitals said they had delayed or reduced cybersecurity investments while awaiting Medicaid funding cuts, according to a Black Book Research survey, TechTarget reported. Some 41% had experienced a malware or ransomware attack, and only 28% had a tested plan for responding to a cyberattack, according to a Becker’s Health IT story.
Other key survey findings include:
- Approximately 73% of surveyed hospitals said they lack adequate cybersecurity defenses, up from 61% in 2023.
- 59% have no dedicated 24/7 monitoring or security operations center, instead relying on general IT staff; 68% have no full-time cybersecurity leader or chief information security officer.
- 82% do not meet federal cybersecurity standards established by the National Institute of Standards and Technology.
Risks of closures
Other rural hospital executives told Becker’s Health IT that they planned to continue making cybersecurity a priority despite their upcoming loss in revenue. “We do not plan on cutting back on cybersecurity as we prepare for the upcoming Medicaid cuts,” said Daniel Grigg, CEO of Wallowa Memorial Hospital in Enterprise, Ore. “I was part of a cybersecurity event at a former hospital, and it’s not something I want to be part of again.”
“We view cybersecurity as one of the greatest risks to our business,” said Brett Altman, CEO of Cass Health in Atlantic, Iowa, noting he had no plans to cut or delay investments in cybersecurity.
Some smaller or rural hospitals have been acquired by larger health systems and have received cybersecurity support through those health systems, the article said.
Research from the University of North Carolina in June indicated that more than 300 rural hospitals across the nation would risk closure due to changes proposed in the bill, TechTarget reported. Nearly one in four people in rural areas have Medicaid, the TechTarget article said, citing KFF data. Estimates from the National Rural Health Association and Manatt Health show that the new law could cause rural hospitals to lose 21 cents of every dollar received in Medicaid funding, further limiting resources for cybersecurity.
Before the bill was passed, 45% of rural hospitals were already operating in the red, said Alan Morgan, CEO of the National Rural Health Association, according to HuffPost.
“There were statements ahead of this bill that the ‘Medicaid cuts may result in rural hospital closures’ — I don’t believe that’s accurate. The Medicaid cuts will result in rural hospital closures,” Morgan said.
Resources for rural hospitals are underused
The “One Big Beautiful Bill” created a $50 billion fund called the Rural Health Transformation Program to try to offset losses from other parts of the legislation. Training and equipment to improve cybersecurity are allowable expenses under the program. However, the money will be spread among all 50 states, and each state must submit a detailed application to CMS for consideration.
Another program created in June 2024 by the Biden Administration, in partnership with Microsoft and Google, provides free or low-cost products and services to rural hospitals to boost their cybersecurity programs. However, just 350 of an estimated 1,800 eligible hospitals (about 20%) had signed up as of last September, Becker’s Health IT reported. The American Hospital Association was working to boost awareness of the program, the report said.
A March 2025 white paper from Microsoft regarding its Cybersecurity for Rural Hospitals Program indicates it has more than 550 rural hospitals participating to receive free cybersecurity assessments, training, product discounts and AI solutions.
Addressing rural health requires a multifaceted approach with engagement and support from the public and private sectors, according to the white paper. “Governments in particular have a responsibility to stop attacks against hospitals,” the authors said. “Unless we act together, cyberattacks will continue to threaten the critical missions of rural hospitals.” Association of Health Care Journalists
