Rural hospitals are bracing for Medicaid cuts that could affect their cybersecurity.
The One Big Beautiful Bill Act, signed into law July 4 by President Donald Trump, slashes Medicaid funding by nearly $1 trillion over the next decade. Healthcare leaders testified before Congress on July 9 that the reductions could harm rural cybersecurity.
But will rural hospital leaders really delay cybersecurity projects or investments because of the government spending cutbacks?
“The answer is yes. We have to look at all expenses right now,” Kevin Stansbury, CEO of Hugo, Colo.-based Lincoln Health, told Becker’s. “Relative to the cybersecurity issues, we are also concerned about USAC [Universal Service Administrative Company] funding. This year, we were denied some of the grants that help us cover the costs of cybersecurity infrastructure.”
Sixteen percent of small and rural hospitals are planning to postpone cybersecurity expenditures, in part due to the looming Medicaid cuts, Black Book Research reported June 30.
“We are still evaluating the bill and the potential effects,” said David Walz, BSN, RN, president and CEO of Madelia (Minn.) Health. “We have very little funds to begin with, so any decreases will cause additional challenges.”
Still, several rural hospital executives told Becker’s that they plan to prioritize cybersecurity despite the potential loss in revenue.
“We do not plan on cutting back on cybersecurity as we prepare for the upcoming Medicaid cuts. In fact, that would be one of the last cuts I would advocate for,” said Daniel Grigg, CEO of Enterprise, Ore.-based Wallowa Memorial Hospital. “I was part of a cybersecurity event at a former hospital, and it’s not something I want to be part of again. I can’t speak for my other small hospital colleagues, but I would be surprised to see that as a popular strategy.”
Some small and rural hospitals have been acquired by larger health systems and now get their cybersecurity defenses that way. “We are not delaying any cybersecurity protection, as we belong to WVU health system, and it’s part of our system process,” said Mark Boucot, president and CEO of Oakland, Md.-based Garrett Regional Medical Center and Keyser, W.Va.-based Potomac Valley Hospital.
Other small hospitals are upping their cybersecurity budgets in the face of the funding slowdown. Healthcare is now the most-targeted critical infrastructure industry by hackers, while cyberattacks tend to be more disruptive for rural hospitals.
“We view cybersecurity as one of the greatest risks to our business,” said Brett Altman, CEO of Atlantic, Iowa-based Cass Health. “While the cuts to Medicaid may impact smaller hospital investment in cybersecurity, we have no plans to cut or delay our investments. In fact, in light of increasingly sophisticated attacks, we have invested more in our staffing, technology, and monitoring defenses in recent months.”
Pinckneyville (Ill.) Community Hospital is still seeking a cybersecurity partner in spite of the Medicaid cuts, said CEO Randall Dauby. The 20-bed critical access hospital’s IT department facilitates firewalls and internal testing but the organization needs more sophisticated outside assistance to thwart cyberattacks. Fifty-nine percent of small hospitals don’t have 24/7 threat monitoring or a dedicated security operations center, relying instead on general IT staff, Black Book Research found.
“Finding the right company based upon our needs as a small rural hospital at a reasonable price has been difficult, but we are going to proceed with cybersecurity,” Mr. Dauby said. “There are way too many chances of getting hit by cyber thieves, and the cost of an attack can be in the thousands/millions.”
Cybersecurity is particularly important for rural hospitals as hackers have shifted their focus from larger health systems to smaller organizations, as they see them as “softer targets,” at the same time AI makes hacks more sophisticated, said Trevor Smith, director of information services at Gunnison (Colo.) Valley Health. So he’s grateful that his county-owned health system, anchored by a 24-bed critical access hospital, doesn’t plan to reduce cybersecurity investments.
“When I’ve been thinking about the One Big Beautiful Bill and the implications, cybersecurity is definitely not one of those places that bubble up the top of my mind [to cut] versus unprofitable service lines or other areas that are high cost and don’t have a lot of revenue associated with it,” said Gunnison Valley Health CEO Jason Amrich. “That’s been more my focus.”
He called cybersecurity funding the “price of admission” in healthcare and said that any downsizing would be too risky to operational and patient safety.
Mr. Smith said the health system has been experiencing cost increases from 300-500% on cybersecurity vendors that could force its hand on this issue. Many cybersecurity companies are trying to become all-in-one platforms, while his health system’s cybersecurity posture has benefited from an a la carte approach, he said.
“We are getting into a little bit of, I would almost say, corporate greed with some of these vendors that we’re dealing with right now. So it’s only a matter of time before we have to make those hard decisions,” he said.
But, he added, “I’m fortunate that we have a CEO who obviously sees the importance there, but that wasn’t always the case here. Trying to sell cybersecurity to some CEOs is a very difficult task that a lot of other small organizations may struggle with, because you don’t really appreciate it until you get in a really difficult spot where you have some sort of ransomware or other event.”
Mr. Amrich said he doesn’t envision his peers at other rural hospitals downsizing their cybersecurity beyond what they have now, as a baseline level is needed to protect against hackers. They may, however, look at saying no to the latest “Cadillac model” upgrade, for instance.
“As new bells and whistles come out, yes, those could be delayed, but there really is just a foundation that we have to have, that can’t be eroded,” he said.
