As Medicaid Cuts Take Hold, Rural Healthcare Cybersecurity Hangs by a Thread

When Congress passed the "One Big Beautiful Bill Act" this summer, the impact on healthcare delivery providers became clear: there would be more than one trillion dollars in health program cuts. For hundreds of already underfunded hospitals across the nation, the news is stark, and the cuts will likely have significant consequences for the cybersecurity readiness of small providers.

Rural hospital leaders find themselves performing budgetary triage, with every budget dollar being scrutinized. And suppose that choice comes down to delivering necessary patient care today, versus investing to defend against future digital attacks. In that case, there isn't really a choice as to where to spend that money, experts say. While cybersecurity risks are real, so is the need to run payroll, keep the lights on, and care for people in need of immediate medical attention.

"Rural healthcare providers get a substantial proportion of their revenue from Medicaid. They can't take many more body blows like this before they're just done," said Mike Hamilton, field CISO at Lumifi Cyber. 

Even before these cuts, rural healthcare delivery organizations struggled with thin margins and staffing shortages. Now, these financial pressures help to foster ideal conditions for attackers to prosper. Healthcare delivery providers can no longer fund their legacy system upgrades, properly manage networks, or fully back up critical data. They have always been prime targets for ransomware gangs, who capitalize on the lack of community healthcare alternatives: for communities served by a single hospital, shutting down emergency services with a ransomware attack is a surefire way to force rapid payment. 

Policy experts warn that the most significant risks are still ahead. As Medicaid eligibility shrinks and federal support recedes, rural hospitals teeter on the brink of insolvency. More than one in three is now at risk of closure, according to national hospital associations. Healthcare delivery organizations are being asked to do more with less, fight off sophisticated cybercriminals who have deep pockets, and serve their communities with increasingly limited resources. "If these systems get knocked over by a ransomware attack, they very well may shut down," said Hamilton.

"Security controls don't make money for an organization," he added. "It's a cost center. And when you're starting to run out of money, you start to shave off stuff that doesn't make money." 

Can Volunteer Cybersecurity Groups Close Gap?

So, what can be done to keep these healthcare delivery organizations secure? While federal funding dries up, different models for rural cybersecurity defense are emerging. Consider the DEF CON Franklin initiative. This volunteer hacker initiative has been quietly helping cash-strapped water utilities defend against nation-state attacks, and it offers a glimpse of what community-driven cyber defense could look like for hospitals as well. More than 50,000 water utilities face the same staff and resource constraints necessary to defend themselves. The Franklin model pairs skilled volunteer hackers with small utilities to provide hands-on support for network mapping, password protocols, and vulnerability assessments, all at no cost and with no bureaucratic overhead.

"This is what cyber civil defense looks like," said Ann Cleaveland, executive director of the UC Berkeley Center for Long-Term Cybersecurity, describing the Franklin initiative. The program has already deployed teams in Indiana, Oregon, Utah, and Vermont, proving that volunteer expertise can fill gaps where other resources fall short. 

For rural hospitals facing impossible budget choices, a similar volunteer network could provide the cybersecurity expertise they can no longer afford to hire. With partnerships spanning from hacker communities to industry groups and philanthropic organizations, the Franklin model demonstrates that protecting critical infrastructure doesn't always require government mandates or massive budgets—sometimes it just requires Americans willing to volunteer their skills to defend their communities.

One promising model that could be adapted for healthcare providers is the PISCES program (Public Infrastructure Security Cyber Education System), designed to bolster the cyber defenses of small municipalities and counties. PISCES recruits cybersecurity students to monitor real-time network data from local governments—providing threat detection and alerts in exchange for experiential learning opportunities. The program operates across multiple states, delivering no-cost security operations center (SOC) services to under-resourced public entities that could never afford their own dedicated analysts.

Adapting the PISCES model to healthcare could be transformative for rural hospitals and clinics facing limited cybersecurity resources. 

By tapping into a pipeline of student talent at nearby universities or community colleges, hospitals could benefit from active network monitoring and rapid alerting, helping to spot ransomware and other attacks. At the same time, students gain invaluable hands-on experience in defending real-world, high-stakes environments—strengthening the future cyber workforce. For healthcare organizations on the edge, partnerships modeled after PISCES would mean enhanced threat visibility and response at a fraction of the cost, closing critical gaps left by dwindling budgets and an overstretched workforce.

Steps HDOs Can Take to Bolster Security

Of course, rural hospitals must take immediate steps to protect themselves. 

Hamilton explained that smaller hospitals can make substantial strides in their security through effective changes in their internal security policies. "Policy changes can have an outsized impact," he said. "Having a policy detailing that all personal usage will be relegated to personal devices, such as accessing Facebook and Gmail on your own phone, knocks 40% of the security problem right out," he said.

Second, open-source tools offer a lifeline for cash-strapped organizations. Solutions like the ELK stack (a widely used open-source suite including Elasticsearch, Logstash, and Kibana for log collection, management, monitoring, and alerting). This stack can provide robust monitoring and alerting capabilities without the hefty price tag of commercial products. The challenge, of course, is finding the expertise to implement and maintain these tools. Here, Hamilton advises hospitals to consider the value of partnerships with local community colleges with cybersecurity programs. "Taking interns, for example, to set up an ELK stack and initiate monitoring is a great project for them," Hamilton said.

Third, collaboration is key. With the federal government shifting responsibility for disaster management and infrastructure protection to the states, healthcare organizations must band together to share threat intelligence and best practices. State-level fusion centers and non-profit initiatives can help fill the gap left by the retreating federal presence. 

"Recreating things like an information-sharing organization within a state is a viable way for them to do threat intelligence," Hamilton advised.

Finally, Hamilton stressed the importance of leadership and advocacy from security and technology leaders within rural healthcare providers. Building the case for cybersecurity investment—even in lean times—requires clear communication of the risks and the potential consequences of inaction. 

In the end, the story of federal funding cuts and their associated cybersecurity implications for healthcare is one of resilience and adaptation. While the challenges are steep, with ingenuity, collaboration, and a willingness to embrace new approaches, healthcare providers can continue to protect their patients and their communities.