What is Google's rural healthcare cybersecurity initiative?

Rural hospitals across America face a cybersecurity crisis that may be a threat to operations and patient safety. As noted by Google, "Cyberattacks on healthcare organizations disrupt their ability to operate and jeopardize patient care. Rural healthcare systems in the US serve 60 million people and are at the heart of countless communities. The safety of everybody in a community is threatened when critical healthcare information systems are unavailable due to cyber incidents." 

Rural facilities have struggled to deal with ransomware attacks and data breaches. In response, Google has launched a cybersecurity initiative specifically designed to protect rural healthcare organizations from the growing threat of cyberattacks.

The challenge facing rural healthcare

Rural healthcare facilities are vulnerable to cyber threats for several reasons. These hospitals often operate with limited IT resources, smaller cybersecurity budgets, and fewer technical staff compared to their urban facilities. Many rural hospitals are access hospitals located more than 35 miles from the nearest alternative facility, making any disruption in service life-threatening for patients.

The financial constraints facing these institutions have only intensified in recent years. According to 2024 cybersecurity predictions for rural hospitals, "While cybersecurity remains a top spending priority, rural hospitals still have tight budgets, leading to a more rationalized approach to managing resources." Despite these constraints, the same report notes that "Health care organizations still place cybersecurity as one of their top three funding priorities."

As Senators Ron Wyden and Mark Warner noted in their letter to federal health officials, "Rural and small hospitals already struggle to find the necessary funds to invest in cybersecurity defenses to protect patient information or computer systems and other infrastructure used to deliver health care.” The senators further warned that "Over 330 rural hospitals — already financially vulnerable — will be forced into making impossible choices in order to stay open, continue to serve the health care needs of patients, and employ large swaths of rural communities."

This issue is far-reaching. According to the National Rural Health Association, "From 2016-2021, 43 rural hospitals across 22 states experienced a ransomware attack." Even more concerning is the operational impact of these attacks: "84% of ransomware attacks on rural hospitals resulted in operational disruptions including: Electronic system downtime (81%), Delays or cancellations in scheduled care (42%), Ambulance diversion (33%)."

Recent survey data from Black Book Research and Becker's Health IT, as reported by the Association of Healthcare Journalists, reveals the depth of cybersecurity vulnerabilities in rural healthcare. "Approximately 73% of surveyed hospitals said they lack adequate cybersecurity defenses, up from 61% in 2023." The staffing challenges are equally concerning: "59% have no dedicated 24/7 monitoring or security operations center, and 68% have no full-time cybersecurity leader." Perhaps most shocking, "82% do not meet federal cybersecurity standards established by the National Institute of Standards and Technology."

Evolving threats and strategic responses

Cybersecurity continues to change, presenting new challenges for rural healthcare organizations. According to the 2024 cybersecurity predictions for rural hospitals, "Rural health care leaders have a monumental task in determining if and how they will harness AI's benefits while safeguarding against risks." The same report warns that "Cybercriminals can weaponize AI to launch more targeted attacks… crafting more sophisticated and highly personalized spear-phishing emails."

However, experts emphasize that success in cybersecurity doesn't necessarily require the most expensive solutions. As noted in the same predictions report, "Success depends not on having the latest tools but implementing the right tools strategically to build a robust, efficient cybersecurity program that can address evolving threats." This approach is relevant for resource-constrained rural hospitals, where "in 2024, the industry, especially rural hospitals, will reexamine cybersecurity strategies to invest in tools and services that eliminate overlap and help optimize existing technologies that can further advance their cybersecurity posture to protect against new threats."

For many rural hospitals facing staffing and budget constraints, outsourcing may provide a viable solution. According to the predictions report, "One cost-effective option may be for rural hospitals to outsource cybersecurity skills to a dedicated partner."

Cybercriminals are well aware of these vulnerabilities. As the Association of Healthcare Journalists reported, "Hackers know that hospitals have troves of valuable patient data and weak infrastructure to protect this medical information from theft. They are also aware that hospitals are likely to pay a ransom to protect the data and minimize disruptions to daily operations, especially in areas with a shortage of health care providers."

The consequences of cyberattacks on rural healthcare can be devastating. As detailed in Google's How Google is helping to improve rural healthcare cybersecurity, "In the first half of just this year, attacks on hospitals and their suppliers have disabled payment systems, prevented patients from receiving the care they need, and in some cases, have made it unsafe to be a patient physically located inside an impacted care facility."

The stakes are high in rural communities. As the National Rural Health Association explains, "Ransomware attack disruptions are more detrimental in rural areas, given the greater distances patients must travel to receive care and the outsized impact that lost revenue may have on rural hospital finances."

For patients experiencing medical emergencies, the stakes couldn't be higher. According to the same Google analysis, "The first 60 minutes after an injury or other health emergency can be vital to a patient's survival, enabling diagnosis and rapid medical interventions. If they can't get the care they need in that 'golden hour,' then the likelihood that the patient will not survive the diversion trip from the nearest hospital to another facility increases." The operational impact extends beyond emergency situations. As Google notes, "While clinicians do their best to keep track of everything with paper and pen during a cyberattack that takes down their EMR system, no access to patient medical records can slow or even halt simple procedures that saves lives."

Google's response

In June 2024, Google announced it will provide a range of free or discounted cybersecurity services to rural hospitals across the country to help them in their efforts to prevent cyberattacks. The announcement was made in collaboration with the White House and the American Hospital Association (AHA). This initiative represents a public-private partnership aimed at strengthening America's healthcare cybersecurity infrastructure.

"Cybersecurity is a top priority for America's hospitals and health systems. It is also a shared responsibility," said AHA President and CEO Rick Pollack. The AHA played a role in facilitating discussions with the White House and Google, working closely to identify what services and solutions would be most valuable and impactful for hospitals as they continue to strengthen their cybersecurity efforts.

The initiative is built around four pillars that address the unique challenges facing rural healthcare organizations, with a focus on efficiency and strategic implementation. As noted in 2024 cybersecurity predictions for rural hospitals, "The future of health care cybersecurity is efficiency. Doing more with less will be crucial to risk mitigation and financial stability."

Secure-by-design technology solutions

The foundation of Google's rural healthcare cybersecurity initiative rests on providing secure-by-design technology that has been engineered with security from the ground up, rather than having security measures added as an afterthought. Google recognizes that many health systems currently operate technology that was built for interoperability but lacks robust security measures.

Through this initiative, Google offers several technology solutions to eligible rural healthcare organizations. Chrome Enterprise Browser and ChromeOS provide a more secure alternative to traditional browser and operating system combinations, helping health systems safely access internet-based and internal technology resources essential for patient care delivery.

Google Workspace Enterprise Essentials Plus forms another component of the offering. This collaboration platform combines productivity applications, including Docs, Slides, Sheets, and Drive, with messaging applications like Gmail and Chat. Importantly for healthcare organizations, Google Workspace supports HIPAA compliance and includes sophisticated security tools to keep patient data safe while simplifying communication between administrators, clinicians, and patients.

Information sharing and threat intelligence

Google's initiative recognizes that information sharing is vital for securing the healthcare sector. The company has developed partnerships with multiple information sharing and analysis centers, including the Health Information Sharing and Analysis Center (Health ISAC), across more than 10 infrastructure sectors. This approach emphasizes the need for better mechanisms to capture and share information that goes beyond traditional threat intelligence.

Education and training programs

Understanding that cybersecurity expertise is often in short supply at rural healthcare facilities, Google has committed resources to education and training initiatives. Google.org grants help fund cybersecurity clinics at universities and colleges, which support rural and underserved hospitals in their communities. 

These cybersecurity clinics at institutions including Eastern Washington University, Massachusetts Institute of Technology, Rochester Institute of Technology, Tougaloo College, Turtle Mountain Community College, and the University of Texas work directly with small, underserved, and rural healthcare systems to improve their cybersecurity posture.

Google also provides access to courses from its Mandiant Academy program. The Health ISAC receives 20 on-demand training courses at no charge, which it can distribute to its members, plus credits for 10 public, instructor-led courses. These programs offer certifications in incident response and threat intelligence, providing rural healthcare workers with concrete skills to defend their organizations.

Discounted and free services

Eligible rural hospitals can receive free cybersecurity assessments by qualified technology security providers and free training for frontline and IT staff. Google has structured its offerings to be financially accessible to resource-constrained rural hospitals, with many services provided at no cost and others offered at substantial discounts. Additionally, Google provides endpoint security advice to rural hospitals and non-profit organizations at no cost, along with a pool of funding to support software migration.

A broader system of support

Google's initiative is part of a system of support for rural healthcare cybersecurity. According to the AHA, they have long been committed to helping hospitals and health systems defend against cyberattacks that threaten patient care and compromise patient safety. AHA's National Advisor for Cybersecurity and Risk John Riggi, a former FBI executive with decades of cyber experience, leads these cybersecurity efforts.

In addition to providing cybersecurity support to individual hospitals and health systems, AHA continues to share information and guidance with the field on the latest cyberthreats. AHA provides a full suite of tools and resources for members, as well as a Preferred Cybersecurity Provider Program to assist hospitals and health systems with selecting trusted and vetted cybersecurity solution providers.

Legislative efforts are also underway to address systemic challenges. The proposed Rural Hospital Cybersecurity Enhancement Act would require the Cybersecurity and Infrastructure Security Agency (CISA) to develop and annually report to Congress about a workforce development strategy to address the unmet need for cybersecurity professionals in rural hospitals. Additionally, CISA must distribute materials that rural hospitals may use to train staff about cybersecurity.

The Small Hospital Improvement Program (SHIP) provides additional funding to assist rural hospitals with purchase of HIT and equipment, among other activities, to support small rural hospital readiness against cybersecurity attacks.

Growing challenges and the need for collective action

The challenges facing rural hospitals have intensified with recent policy changes. Alan Morgan, CEO of the National Rural Health Association, warned about the impact of federal funding cuts, as reported by the Association of Healthcare Journalists: "The Medicaid cuts may result in rural hospital closures — I don't believe that's accurate. The Medicaid cuts will result in rural hospital closures."

However, industry experts emphasize that addressing these challenges requires a coordinated approach. As noted in Microsoft's white paper on rural hospital cybersecurity, "Governments in particular have a responsibility to stop attacks against hospitals. Unless we act together, cyberattacks will continue to threaten the critical missions of rural hospitals."

Current adoption and challenges

Despite the nature of these programs, adoption has been slower than hoped. However, according to Becker Health IT, just 350 of an estimated 1,800 eligible hospitals (about 20%) had signed up for the programs as of 2024. This low adoption rate shows challenges in reaching rural healthcare organizations and helping them understand and implement available cybersecurity resources.

The initiative addresses these adoption challenges through dedicated support and consulting services. Google works directly with qualified rural health organizations to tailor solutions to their specific needs and provides implementation services to support adoption of the security tools and practices.

For rural healthcare organizations interested in learning more about Google's cybersecurity initiative, they can sign up to explore eligibility and implementation options.

FAQs

Who is eligible for Google’s cybersecurity program for rural hospitals?

Eligibility generally includes small, rural, and underserved hospitals that face resource constraints in meeting cybersecurity needs.

How much does participation cost for hospitals?

Many services are free, while others are heavily discounted to ensure affordability for rural facilities.

What types of cyber threats does the initiative focus on?

The program is designed to defend against ransomware, phishing, data theft, and other attacks that disrupt care.

Does the initiative provide on-site support, or is it mostly virtual?

Most services are delivered virtually, but hospitals can also receive direct consulting and implementation support.

Are there training opportunities for rural hospital staff?

Yes, the initiative includes free and subsidized training programs, mentorships, and certifications in cybersecurity.