Skip to main content
U.S. flag
An official website of the United States government

How to Grow Your Security Program Without Busting Your Budget

By Kate Pierce, 405(d) Task Group member
June 29, 2023

Hospitals across the nation teeter on the brink of closure as they grapple with a challenging combination of historically thin margins, escalating costs, and persistent labor shortages.

Rural hospitals, in particular, face additional challenges related to patient volumes and difficulty recruiting and retaining qualified staff. According to the Center for Healthcare Quality & Payment Reform, approximately 30% of rural hospitals (646 in total) are at risk of closure due to financial burdens.

A correlated report indicates that 1,129 hospitals have experienced persistent financial losses over multiple years, excluding 2020. Unfortunately, as a result, rural hospitals are compelled to reduce services, exacerbating the plight of patients in already undeserved regions.

Hospitals are falling behind other industries when it comes to allocating funds for security measures, with only 5% of their budget dedicated to security compared to the industry average of 16%. Unfortunately, the current budget constraints have made it incredibly challenging to increase or even maintain the allocation for safeguarding hospital facilities. In fact, the allocation of IT budget to security has remained relatively stagnant since the 2018 HIMSS Cybersecurity survey.

Furthermore, the United States is grappling with a severe shortage of qualified cybersecurity professionals, which has continued to worsen in 2022. The 2022 HIMSS Cybersecurity Survey reports that a staggering 84% of healthcare organizations encountered difficulties in recruiting skilled cybersecurity personnel, and an additional 67% expressed significant challenges in retaining their existing staff in this field.

Exacerbating these issues is the alarming rise in ransomware attacks targeting healthcare organizations, with data breaches doubling in just three years. Moreover, the cost of recovery from such attacks has skyrocketed to over $10.1 million per incident in 2022.

Despite this perfect storm of challenges facing healthcare organizations, there are strategies to enhance cybersecurity programs without incurring exorbitant costs. A wealth of free guidance materials and services provided by the government can be tapped into, offering valuable resources to help hospitals fortify defenses without straining budgets.

In addition to an abundance of free guidance and resources, federal funding specifically designed for emergency preparedness and rural connectivity are available, as are various state and local grants and free programs catering to hospitals of all sizes. These opportunities empower healthcare institutions to fortify their technological assets and enhance their overall security posture. Image 1

Free Resources

The websites below contain a wealth of good (and free!) resources that you can use to improve your cybersecurity posture or find funding opportunities.

405(d) Program Website features a plethora of resources including access to the latest industry tested best practices as noted in the Health Industry Cybersecurity Practices (HICP) 2023 Edition. This website also offers a brand-new training platform called Knowledge on Demand that offers free end-user awareness training for the top five cyber threats facing the healthcare industry. There is also a searchable database of free resources, including infographics, newsletters like this one, webinars with slides, awareness posters and more!405(d) knowledge on demand

Health Sector Coordinating Council Cyber Working Group (HSCC CWG) provides resources including a cybersecurity framework implementation guide, video training for clinicians, managing legacy technology security, and artificial intelligence and machine learning.

Cybersecurity and Infrastructure Security Agency (CISA) has compiled free cybersecurity tools and services to help organizations advance their security capabilities.

Administration for Strategic Preparedness and Response (ASPR) features video, documents, and more to help protect against, mitigate, respond to, and recover from cyber threats.

National Institute of Standards and Technology (NIST) Small Business Cybersecurity Corner (SBCC).

Federal and State Grants and Subsidies

For more than two decades, I served as CIO and CISO for a critical access hospital. We explored many of the grants outlined below and were fortunate to win several that helped us to improve and protect our technology infrastructure. Applying for grants takes time and discipline, but funding programs like these allowed us to maximize our cybersecurity spending.

Please also note that each state has its own Homeland Security Grant program. To identify the program in your state, just a quick internet search is all you need to get details on all FEMA grants.

FEMA - Nonprofit Security Grant Program (NSGP): This grant provides funding support for target hardening and other physical security enhancements and activities at 501(c)(3) organizations considered critical infrastructure. Grant money can be used for both physical infrastructure and security software and services. Maximum $150,000 per site for no more than three sites.

FEMA - State Homeland Security Program (SHSP): This Homeland Security Grant offers risk-based funds to bolster state, local, tribal, and territorial efforts to prevent, mitigate, respond to and recover from acts of terrorism and other threats. State and municipal hospitals can partner with a state agency through a memorandum of understanding (MOU).

FEMA - State and Local Cybersecurity Grant Program (SLCGP): Also appropriate for state and municipal hospitals, these grants specifically address cybersecurity risks and cybersecurity threats to information systems.

USAC Healthcare Connect Fund (HCF) Program: This is a subsidy program that provides up to a 65% discount on internet/telecom monthly recurring costs, including equipment and network management services that can include cybersecurity. Consortiums of urban and rural hospitals are eligible if at least 50% of the participants are rural.

Health Resources & Services Administration (HRSA): The organization has given more than 3,000 grants to help provide equitable healthcare to disadvantaged groups and the geographically isolated, including telehealth.

USDA Distance Learning and Telemedicine Grants (RUS DLT): Aimed at rural populations of fewer than 20,000 people, grants require a 15% match and provide up to $1 million for distance learning and telemedicine hardware, transmission equipment, and related software, including for cybersecurity.

Help on the Horizon

In March, the Biden Administration announced a National Cybersecurity Strategy that seeks to “build and enhance collaboration around five pillars:”

  1. Defend critical infrastructure, which includes hospitals
  2. Disrupt and dismantle threat actors, develop a federal approach to ransomware, and engage the private sector in disruption activities
  3. Shape market forces to drive security and resilience, which includes federal grant programs to promote secure and resilient investments in new infrastructure
  4. Invest in a resilient future through strategic investments and coordinated, collaborative action
  5. Forge international partnerships to pursue shared goals

Significant strides have already been made in the form of legislation or pending legislation aimed at bolstering our national cybersecurity workforce, including initiatives that incentivize students to pursue careers in healthcare. And it appears that more help is on the way.

The pressing cybersecurity challenges facing hospitals and health systems have garnered recognition at the highest echelons of government, resulting in additional federal support. However, it’s crucial to acknowledge that solutions to these issues cannot solely rely on government intervention. Leveraging the available resources, including those mentioned above, is an important step toward strengthening your organization’s cybersecurity defenses and protecting healthcare in our communities.

Kate has had over 21 years of experience in healthcare with specific experience in small, rural, and not-for-profit healthcare organizations. She is very familiar with the continuous struggles within these facilities to do more with less. Kate was the CIO and CISO for a Critical Access Hospital & Health Center, and developed the security program from scratch, including governance model, strategic planning, security control selection, and implementation. Kate has been working with HSCC and 405(d) to further the cause of cybersecurity in healthcare. She is a champion for federal and state funding for cybersecurity in small, rural, and non-for-profit organizations.