Funding Shortfalls Pressure Small and Rural Hospitals to Delay Essential Data Security Investments; Survey of 187 Small Hospital Leaders Highlights Growing IT Vulnerabilities
TAMPA, FL / ACCESS Newswire / June 30, 2025 / Black Book Research today released alarming findings from its Q1-Q2 2025 cybersecurity readiness survey of 187 verified hospital administrators and IT leaders from small and rural healthcare facilities across the United States. The results spotlight a significant rise in cyber threats coupled with a concerning decline in preparedness, particularly among critical access and non-urban hospitals with fewer than 150 beds.
"Small and rural hospitals are on the frontline of America's healthcare cybersecurity crisis," said Doug Brown, founder of Black Book Research. "This year's findings confirm that the majority lack the staffing, funding, and infrastructure to defend themselves against increasingly sophisticated attacks."
Sixteen percent of all respondent U.S. hospitals are delaying or reducing cybersecurity investments, in part due to pending Medicaid funding cuts, exacerbating this nationwide issue.
Key Survey Insights representing 187 facilities:
137 hospitals (73%) report inadequate cybersecurity infrastructure to guard against targeted cyberattacks, an increase from 61% in 2023.
110 hospitals (59%) lack 24/7 threat monitoring or a dedicated security operations center (SOC), relying instead on untrained general IT staff for incident response.
127 organizations (68%) do not employ a full-time Chief Information Security Officer (CISO) or dedicated cybersecurity leader.
97 facilities (52%) have not conducted a formal cybersecurity risk assessment in the past year, despite federal HIPAA mandates.
77 hospitals (41%) have experienced malware or ransomware incidents since early 2024, often lacking effective backup systems or established recovery protocols.
154 respondents (82%) acknowledged falling short of meeting NIST Cybersecurity Framework standards required for healthcare organizations.
Primary Cybersecurity Challenges:
Severe Workforce Gaps: More than 44% (82 hospitals) outsource all cybersecurity functions without adequate governance oversight or strategic direction.
Legacy Infrastructure Risks: Over half operate outdated systems such as Windows Server 2012, unsupported medical devices, or non-upgradable EHR modules, exposing them to known vulnerabilities.
Insufficient Capital Investment: Cybersecurity accounts for less than 4% of total IT budgets at 129 facilities (69%), often diverted to urgent clinical or infrastructure needs.
Cyber Insurance Denials: Over half (101 hospitals, 54%) have been denied or had cyber liability insurance coverage reduced due to insufficient security standards.
No Incident Response Plan: Only 52 organizations (28%) have a tested disaster recovery and incident response plan, leaving the majority vulnerable to rapid escalation during cyberattacks.
Cybersecurity First to Go if Funding Drops, Safety-Net Leaders Warn
A related Black Book flash survey of urban safety-net hospital leaders conducted this week underscores the severity of the problem: all twelve executives surveyed stated that cybersecurity upgrades would be among the first expenditures delayed or canceled if anticipated Medicaid funding reductions take effect. Despite the escalating cyber risks, budget shortfalls compel hospitals to prioritize clinical care and staffing over IT security.
"This dangerous trend is consistent across urban and rural safety-net facilities: when budgets shrink, cybersecurity is the first line-item cut-even though administrators recognize the catastrophic risks involved," added Brown.
Industry Response & Outlook
As cyberattacks increase in frequency and sophistication, unprepared hospitals face operational disruptions, patient safety risks, and financial devastation. Although regulatory bodies like the HHS Office for Civil Rights and the Federal Office of Rural Health Policy have indicated increased support for cybersecurity modernization, immediate financial investment and technical assistance remain critically lacking.
"If not urgently addressed, this cybersecurity gap threatens the health and privacy of millions of rural Americans," Brown emphasized. "Strategic partnerships, grant-supported modernization efforts, and scalable managed security services must become immediate national priorities."
According to survey data, five vendors have emerged as essential cybersecurity partners for small and rural hospitals in 2025, reflecting alignment with operational and budgetary constraints. All five have scored as the top performers in their service and product lines as measured by client satisfaction on 18 hospital cybersecurity key performance indicators:
Microsoft: Widely adopted through its Rural Hospital Cybersecurity Program supporting approximately 550 facilities nationwide, providing subsidized security tools and specialized staff training.
Critical Insight (now Lumifi): Preferred for managed detection and response (MDR) services, delivering SOC-as-a-Service and HIPAA-aligned assessments tailored to resource-constrained rural providers.
Censinet: Frequently engaged for its third-party risk management platform, essential for evaluating cybersecurity posture among EHR vendors and supply chain partners, ensuring compliance and audit readiness.
Cisco Secure: Valued for its comprehensive cybersecurity portfolio, including advanced endpoint protection, cloud security, and simplified threat management tailored specifically for healthcare environments.
Fortified Health Security: Recognized for specialized healthcare cybersecurity consulting and managed security services, supporting hospitals in risk assessments, compliance programs, and ongoing threat mitigation.
These findings highlight rural hospitals' increasing dependence on external cybersecurity partnerships emphasizing affordability, compliance alignment, and minimal internal staffing needs.
Black Book will continue monitoring the evolving cybersecurity landscape, providing insights as rural hospitals navigate escalating threats and strive for resilience.
Based on a sample size of 187 respondents out of approximately 1,796 small and rural hospitals, the survey results have a confidence level of 95%, with a margin of error of about ±6.8%. This means that the survey findings accurately represent the views of all small and rural hospitals within this margin of error.
About Black Book Research
Black Book is the leading independent healthcare market intelligence firm, conducting surveys and client experience research since 2011. Black Book does not accept sponsorship or vendor payments, ensuring unbiased rankings, reports, and analyses. For more information on lciensing bespoke vendor scorecards, contact research@blackbookmarketresearch.com
The Black Book Rural Hospital Cybersecurity Readiness Survey (Q1-Q2 2025) evaluated 18 qualitative key performance indicators (KPIs) aligned with NIST and HIPAA standards, involving 187 participants including CEOs, CFOs, CIOs, IT Directors, and Compliance Officers from hospitals serving non-urban regions with fewer than 150 beds. The 2025 Black Book of Healthcare Cybersecurity is available for no charge to small hospital executives and stakeholders as well as media at https://www.blackbookmarketresearch.com
Contact Information
Press Office
research@blackbookmarketresearch.com
8008637590
SOURCE: Black Book Research
View the original press release on ACCESS Newswire:
https://www.accessnewswire.com/newsroom/en/healthcare-and-pharmaceutical/hospitals-at-cybersecurity-crossroads-projected-medicaid-cuts-threate-1043388
