A growing number of small and rural hospitals are delaying cybersecurity improvements due to looming Medicaid funding cuts, according to a June 30 report from Black Book Research.
The survey of 187 leaders at hospitals with fewer than 150 beds found that 25% of U.S. hospitals are vulnerable to cyberattacks because of staffing shortages, outdated technology and low cybersecurity budgets. In many cases, administrators are choosing to focus limited resources on patient care instead of data protection.
Here are six key findings from the report:
- Seventy-three percent of surveyed hospitals say they lack adequate cybersecurity defenses — up from 61% in 2023.
- Fifty-nine percent have no dedicated 24/7 monitoring or security operations center, relying on general IT staff instead.
- Sixty-eight percent have no full-time cybersecurity leader or chief information security officer.
- Fifty-two percent failed to conduct a formal cybersecurity risk assessment in the past year, despite federal HIPAA requirements.
- Forty-one percent have experienced malware or ransomware attacks since early 2024.
- Eighty-two percent fall short of meeting federal cybersecurity standards set by the National Institute of Standards and Technology.
The challenges are compounded by outdated equipment and software, with many hospitals still using systems like Windows Server 2012 and non-upgradable EHRs. Nearly 70% of facilities spend less than 4% of their total IT budgets on cybersecurity — a figure far below industry recommendations.
Adding to the financial strain, 54% of hospitals said they have been denied cyber liability insurance or had their coverage reduced due to weak cybersecurity measures.
Only 28% of hospitals have a tested plan for responding to a cyberattack.