7 Things Healthcare Needs More Than Another Webinar – Ep 510 

Let’s face it — if healthcare had a dollar for every time someone said “we need another webinar,” it might actually be able to afford cybersecurity upgrades. This episode takes aim at the overload of online presentations and instead shines a light on what healthcare providers actually need. We unpack the findings of a critical report on the unique cybersecurity challenges facing small and rural healthcare providers, who are often running on shoestring budgets, outdated tech, and a whole lot of crossed fingers.

In this episode:

7 Things Healthcare Needs More Than Another Webinar – Ep 510

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

7 Things Healthcare Needs More Than Another Webinar

On the Edge: Cybersecurity Health of America’s Resource-Constrained Health Providers – Health Sector Council

A new report out from HSCC specifically evaluating the issues faced and cybersecurity needs of small and rural providers of all types.

The report – “On the Edge: Cybersecurity Health of America’s Resource-Constrained Health Providers,” examines how resource-constrained health care systems – small, rural, critical access, family clinics, skilled nursing facilities, FQHCs and many more across the country – are only marginally prepared for ongoing cyber threats to clinical care and operational liquidity, and recommends forms of support they would need against stiffer cybersecurity regulatory requirements.

As Jim Roeder of MN’s Lakewood Health and co-lead of the task group who produced the report said:

“This report sheds a critical light on the cybersecurity challenges threatening resource constrained healthcare providers like ours. It accurately reflects the fears we face daily in knowing that a single ransomware attack could not only jeopardize our hospital’s future but also put our patients and community at risk.” Roeder added that “Cybersecurity is not just an IT issue; it is a patient safety issue. Protecting the health and well-being of our communities means ensuring we have the resources and support to defend against evolving cyber threats.”

What is the report about

“we define “Resource-Constrained healthcare provider” as:

A medical facility or individual practitioner encountering significant obstacles in providing comprehensive healthcare services and conforming to operation standards, often due to financial constraints, geographic isolation, or patient population characteristics. These constraints further impede the ability of Resource-Constrained health providers to implement, maintain, and enhance cybersecurity measures.

Resource-constrained providers include providers located in rural or economically disadvantaged areas, small practices, community health centers, critical access hospitals, and facilities serving high-risk or special populations. These providers typically face challenges such as limited financial resources, outdated or limited health IT, insufficient access to cybersecurity expertise and tools, and lower levels of regulatory oversight or support. Furthermore, these constraints are often compounded by a higher dependency on outdated technology and infrastructure, which increases vulnerability to cyber threats.”

Problems identified in the findings

Top 10 Issues

• Inflexible or no funding
• Outdated systems
• No cyber talent
• Competing priorities
• No formal program
• Weak governance
• Confusing government guidance
• Late/missing alerts
• No real training for incidents
• No support for shared solutions

5 Things Making It Worse

• No patient diversion options
• Small orgs as entry point to larger systems
• Cybercriminals are targeting them
• EHRs, telehealth, AI = more attack surface
• AI + no cyber prep = risk explosion

There is one area of concern based on our experience. They repeatedly said that they know what to do – all of them think it is not. We see that all the time. They do know they need to do things and they know in general what should be done. But…. They don’t know HOW to do it properly. If there is too much of an assumption they actually know how to do things and they just give them tools or people who are waiting to be managed – we could create a whole new list of problems.

Here are a few quotes:
“Most said they know what to do, they just don’t have the people to do it.”

“We’ve never been audited, but we have a managed service provider.”

“Our cyber lead is also head of fire safety.”

“We don’t need training—we need people.”

Many rely on part-time MSSPs, MSPs or “I got a guy” IT. They also blend cyber roles with facilities/compliance out of necessity. We always say the person that missed the meeting ends up with the job of managing security.

There are a significant number of times where we see that what they think is a strategy for managing cybersecurity is actually a gap analysis of HIPAA Security compliance. There is one point I think needs to be addressed that isn’t clearly outlined in the report – IMHO:

What healthcare providers really need isn’t just more training. They need well-trained, informed staff who can actually help out and know more than just the basics about the tech.

Recommendations

Workforce Augmentation

• Actual people, not just training – but it is very important that they get actual people who are properly trained!
• Cyber Corps, MSSPs, regional staffing are options mentioned but there is great concern about making sure the skills they get are ones that are prepared for the role they are expected to play.
• Regulatory and technical training for IT staff

Flexible and Ongoing Funding

• Not just grants—reimbursement models, loan programs
  • Reimbursement as an incentive model for better cybersecurity also attracted some nods from interviewees, such as CMS providing a “meaningful use”-like funding model involving incentive payments to health systems that can demonstrate deployment of recognized cybersecurity practices such as Health Industry Cybersecurity Practices and NIST Cybersecurity Framework. This concept was enshrined in Public Law 116-321, as a way to direct OCR to accommodate breached entities with potentially less draconian fines and audits in a HIPAA enforcement action if the entity was able to demonstrate implementation of HICP, NIST or other recognized security practices. Funding is vital to develop the workforce and invest in health IT, but existing pathways and reimbursement incentives are insufficient and inflexible.
• CMS incentives and USDA loan expansion

Support for Health IT Collaboratives

• Shared services to reduce cost and increase resilience
• Non-profits that provide scale to small orgs

Third-Party Vendor Accountability

• Regulation for vendors, not just the providers
• Less burden on the “victims”

Real-World Tools and Infrastructure

• Tech upgrades, EDR, managed detection—not slide decks
• Access to GSA pricing

Clear, Aligned, and Reasonable Regulations

• Eliminate conflicting guidance
• Stop compliance punishment without help

Incident Response Support

• Help during attacks (not just post-breach penalties)
• National Guard, federal response teams

After peeling back the layers of this report, one thing’s crystal clear: small and rural healthcare providers aren’t just in a tough spot — they’re trying to build a cyber fortress with duct tape and dial-up. The report lays out ten gnarly problems (think: outdated tech, lack of trained staff, mixed messages from regulators) and five ways things are only getting worse (hello, alert fatigue and budget black holes). But it’s not all doomscrolling. There are solid recommendations too — from workforce augmentation and real funding, to vendor accountability and practical support during incidents. The path forward? It’s going to take more than PowerPoint and good vibes. Small healthcare businesses need real resources, real people, and real help if they’re going to turn cybersecurity from a pipe dream into a practical plan.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.