Bridging the Gap: Strengthening Cybersecurity for Nonprofit and Rural Healthcare Providers

 

In my previous article (that article can be read here, I introduced the issue facing many nonprofit and/or rural healthcare organizations as it pertains to keeping up with cybersecurity needs both from a regulatory perspective and from an active threat perspective. The biggest challenge facing these organizations is funding. Healthcare is very expensive to deliver especially when you depend largely on grants and donations. Unfortunately, cybersecurity is also very expensive and most nonprofit healthcare organizations just don’t have the funding to keep up with increased threats and increased security regulation.

At the end of that article, I committed to following up with a set of recommendations that I feel could assist with this challenge faced by these healthcare organizations. So, as promised, here is my laundry list of recommendations.

Addressing the challenges of cybersecurity for nonprofit and rural healthcare organizations requires a combination of targeted funding, policy changes, public-private partnerships, and tailored resources. Below are specific recommendations to tackle these issues effectively:

 

1. Increase Federal and State Funding for Cybersecurity

• Establish Dedicated Grants: Create cybersecurity-specific grants for nonprofit and rural healthcare providers, similar to the Health Center Program administered by HRSA, to fund technology upgrades, training, and security measures.
• Provide Matching Funds: Encourage states to provide matching funds for federal grants to incentivize investment in cybersecurity infrastructure.
• Subsidize Cyber Insurance: Offer subsidies or tax incentives to help small healthcare organizations afford cyber insurance, which can mitigate financial risks from breaches.

2. Develop Tiered Compliance Requirements

• Adjust Regulations for Smaller Organizations: Mandate cybersecurity standards that are scaled based on the size, resources, and risk profile of healthcare organizations. This prevents overwhelming smaller entities with costly compliance requirements.
• Offer Grace Periods: Provide extended timelines and guidance for rural and nonprofit healthcare providers to meet new cybersecurity mandates.

3. Leverage Public-Private Partnerships

• Expand Industry Support Programs: Encourage technology companies to broaden their cybersecurity initiatives to include all vulnerable healthcare providers, not just rural hospitals.
• Create Shared Cybersecurity Centers: Partner with private sector firms to establish regional cybersecurity resource hubs where small providers can access tools, training, and support.
• Collaborate on Affordable Solutions: Work with cybersecurity vendors to develop affordable solutions tailored to the needs of nonprofit and rural healthcare organizations.

4. Build Cybersecurity Workforce Capacity

• Launch Training Programs: Fund cybersecurity training specifically for healthcare IT professionals, focusing on nonprofit and rural settings.
• Promote Loan Forgiveness for Cybersecurity Professionals: Introduce loan forgiveness programs for cybersecurity experts who work in underserved healthcare organizations for a specified period.
• Leverage Virtual Support Networks: Create remote cybersecurity support networks, allowing experts to assist multiple small healthcare organizations simultaneously.

5. Enhance Technology Access

• Subsidize Cloud-Based Security Solutions: Provide financial incentives for nonprofit and rural healthcare providers to adopt cloud-based solutions with built-in security features.
• Encourage Open-Source Tools: Invest in the development of open-source cybersecurity tools that can be used by resource-constrained healthcare providers.
• Enable Group Purchasing Power: Form cooperative purchasing programs to allow smaller healthcare providers to collectively negotiate for lower prices on cybersecurity tools and services.

6. Foster Information Sharing

• Create Regional Cybersecurity Alliances: Establish local or regional alliances where healthcare providers can share threat intelligence and best practices.
• Improve Government Alerts: Ensure that federal agencies provide timely and actionable cybersecurity alerts specifically tailored to the healthcare sector.
• Facilitate Incident Response Teams: Develop rapid-response teams that nonprofit and rural providers can call on during a cybersecurity breach.

7. Advocate for Policy Adjustments

• Integrate Cybersecurity into Rural Health Initiatives: Advocate for existing rural health programs to include cybersecurity as a core component.
• Require Vendor Accountability: Implement policies that hold software and hardware vendors accountable for providing secure, easily updatable solutions to healthcare organizations.
• Support Anti-Trust Exemptions for Collaboration: Allow small healthcare providers to collaborate without fear of antitrust violations when sharing resources or negotiating with vendors.

8. Focus on Education and Awareness

• Launch Awareness Campaigns: Educate healthcare leaders on the critical importance of cybersecurity and how to integrate it into operational priorities.
• Develop Simple Training Modules: Create low-cost or free cybersecurity training modules tailored for healthcare staff with limited technical expertise.

9. Provide Emergency Relief for Breach Recovery

• Establish a Cybersecurity Emergency Fund: Offer financial support for nonprofit and rural healthcare providers affected by significant cyberattacks, helping them recover operations without sacrificing patient care.
• Simplify Federal Aid Access: Streamline the process for healthcare organizations to access emergency funds post-breach.

10. Pilot Programs and Case Studies

• Launch Pilot Projects: Fund pilot programs in rural areas to test innovative cybersecurity approaches, documenting their effectiveness and scalability.
• Document Success Stories: Share case studies of organizations that have successfully implemented affordable cybersecurity measures to inspire and guide others.

Conclusion

Addressing these cybersecurity challenges requires a multi-faceted approach that prioritizes equity and sustainability. By leveraging funding, partnerships, and tailored resources, policymakers and industry leaders can help nonprofit and rural healthcare organizations enhance their cybersecurity defenses without compromising patient care. These solutions must be actionable, scalable, and sensitive to the unique constraints these organizations face. 

Obviously, there is no panacea that will immediately solve the cybersecurity issues facing our nonprofit and rural healthcare organizations, however, putting together a thoughtful, coordinated action plan such as the one above involving both public and private resources will greatly help our underfunded nonprofit and rural healthcare organizations who are providing care on a daily basis for the most underserved populations in our society. These are a public health resource that we just cannot afford to lose.

Cybersecurity Requirements May Break the Back of Nonprofit Health Care in the United States

 

Cybersecurity is a huge concern for health care entities as one of the most targeted industries by cyber criminals according to an article by the EC-Council University (https://www.eccu.edu/blog/cybersecurity/top-industries-most-vulnerable-to-cyber-attacks). The health care industry is so targeted in fact, that Congress is now considering a bill, with the backing of HHS, to mandate that health care organizations strengthen their cybersecurity defenses (https://www.finance.senate.gov/imo/media/doc/health_infrastructure_security_and_accountability_act_leg_text.pdf). This is all well and good for those for-profit entities such as United Healthcare, Humana, or CHI who have fairly deep pockets. The big question is where does this leave nonprofit entities struggling to provide safety net services on sliding fee schedules depending on decreasing reimbursements and grant funding to survive?

Microsoft and Google, working with the White House, have come up with a so-called plan to help, consisting of free and discounted cybersecurity resources to assist in enhancing health care cybersecurity. I call this a so-called solution because it only addresses one discrete area of need, rural hospitals. What this completely misses are the over 1,400 Federally Qualified Health Care (FQHC) centers operating at more 15,000 sites serving more than 26.6 million patients per year or the over 5,200 rural health clinics (RHC) serving more than 37.7 million patients per year, both providing integrated outpatient care to those who otherwise would not have access to health care or couldn’t afford it. These organizations survive on shoestring budgets where the goal is to dedicate every penny possible to patient service. With cybersecurity threats increasing in complexity and number almost daily, it is nearly impossible for these organizations to keep up. Yet instead of providing help where it is actually needed, our technology industry and government make superficial efforts to look like they are helping with the problem while Congress seeks to pass more stringent regulations without any assistance in meeting those regulations.

If you have been watching the news lately, you have seen a number of rural and nonprofit health care organizations closing facilities at a breakneck pace because the margins are so low that they cannot survive. When we layer in the hundreds of thousands of dollars or more that each health care organization is going to have spend to keep up with cybersecurity threats, that means we can expect to see even more health care facilities closing in the areas where they are needed most. We aren’t talking about metro areas like Los Angeles or Chicago, we are talking rural, less densely populated areas such as rural areas of Nevada, Utah, Colorado, Arizona, California, and much of the southern United States. On average, these residents tend to be older and potentially require more medical attention than the average person. In an article published in the Journal of the Missouri State Medical Association (https://pmc.ncbi.nlm.nih.gov/articles/PMC6140198/), it was stated that while 20% of Americans live in rural areas, only one-tenth of physicians practice there.

My call to action is this: While we all agree that increased cybersecurity in health care is necessary and we are all tired of reading about the breaches, we need to come up with some real solutions to assist this industry, especially the safety net and rural providers who are hit hardest by the extra costs that these initiatives bring. We need to stop complaining and put together real action plans because our health care industry is already straining and struggling and the added burden of increased costs around cybersecurity is enough to break it where it is needed most. 

In my next post, I will attempt to provide some suggestions as to how we might be able to attempt to solve this problem.