Why a $50 Billion Investment Will Propel Rural Health Cyber Transformation

The U.S. government just launched a $50 billion initiative to modernize rural healthcare infrastructure. The federal government is now reviewing states’ funding applications and by the end of the year will announce funding awards, which may include support for expanding and securing digital systems.

States will need to manage new security risks that come with any expansion.

Congress passed Public Law 119-21 on July 4, 2025, creating the Rural Health Transformation (RHT) Program. The law directs the Centers for Medicare & Medicaid Services (CMS) to support state plans that strengthen rural healthcare and expand technology use across five fiscal years.

Rural healthcare has drawn national attention because many states struggle with persistent gaps in access to care, limited resources, and aging infrastructure.

In the 2025 Third-Party Breach Report, SecurityScorecard found that healthcare sustained more third-party breaches than any other sector in 2024. The volume is striking: 242 breaches total, with 78 tied to third parties.

For states applying for RHT program funding, this matters because expanding digital infrastructure means expanding vendor relationships, and that is where breaches increasingly occur. Securing digital assets can’t stay confined to IT. It must be a business priority, because patient care depends on it.

Read the 2025 Third-Party Breach Report for more insights on healthcare cybersecurity.

How the Cyber Gap in Rural Health Affects Patient Care

Attackers target healthcare consistently. Rural and Critical Access Hospitals (CAHs) operate with limited resources while holding high-value data, which makes them prime targets for hacking groups:

1. Limited Resources: Small IT teams and constrained budgets leave security teams underfunded and reliant on basic, outdated defenses.
2. Legacy Systems: Many smaller facilities rely on older, interconnected medical devices and Electronic Health Record (EHR) systems. These systems complicate patching or securing them against malicious actors, nation‑state hackers, or cybercriminals.
3. High-Value Data: Despite their size, these entities hold the same sensitive data and protected health information (PHI) as major urban hospital networks. A ransomware attack in a rural healthcare context can quickly cripple a region’s only healthcare option.

The law explicitly notes that the program aims to foster the use of technologies that are “designed to improve efficiency, enhance cybersecurity capability development, and improve patient health outcomes.”

To capitalize on this $50 billion opportunity, organizations and their security teams must incorporate cybersecurity strategies into their transformation plans.

How to Use Cybersecurity Funding Under the CMS Program

To guard program funds and ensure long‑term value, rural entities must build a secure, sustainable digital environment. They need solutions offering enterprise‑level visibility without enterprise‑level budgets or staff.

These organizations should adopt continuous, objective measurements of security.

The following are recommended actions for rural healthcare providers and states interested in this initiative:

1. Prove Security Posture Over Time

Ensure that new tech initiatives, such as telehealth expansion, data sharing, or EHR modernization, are built on a secure foundation.

External, objective security ratings can provide an immediate, understandable health check of a facility’s public-facing cybersecurity.

• Prioritize Gaps: A rating system identifies and prioritizes the most critical vulnerabilities that can lead to a breach, such as unpatched servers, poor email security, or network configuration issues. This can help small teams focus limited resources on the highest-risk areas.
• Demonstrate Due Diligence: By tracking an improving score over time, a rural facility can show CMS and partners concrete progress and commitment to data security and risk reduction.

2. Protect New Technology Investments

A large portion of the $50 billion will likely support deployment of new care models built on emerging technologies. Every new connection, from a mobile clinic to a remote patient‑monitoring device or cloud service, can introduce an attack surface.

Security teams should apply strong security practices from the outset:

• Continuous Monitoring: Continuous monitoring gives your security team early warning when a vulnerability or security issue appears in your network or supply chain. It secures new tools and systems from day one. It acts as an automated security check, alerting staff when a new potential issue is introduced to the network or supply chain.
• Secure the Supply Chain: Many rural facilities rely on third-party vendors for cloud services, billing, and specialized applications. A measurable security solution can assess the cybersecurity health of these critical vendors, protecting the hospital from risks that lie outside its own network.

3. Shift from Compliance Checkboxes to Long-Term Resilience

The goal is not just to comply with the Health Insurance Portability and Accountability Act (HIPAA) or other regulations, but to build genuine resilience. Continuous, objective measurement of security posture helps rural entities:

• Operationalize Security: It translates complex cyber threats into simple, actionable steps that small IT teams can execute, turning abstract policy into measurable outcomes.
• Protect the Community: By preventing ransomware attacks and data breaches, rural hospitals ensure that their doors stay open, protecting the community’s health and preserving the healthcare sustainability that the CMS investment is designed to create.

Why Cybersecurity Matters for Rural Healthcare Providers 2025-2030

The $50 billion Rural Health Transformation Program represents a critical inflection point for rural healthcare systems. The decisions made today about vendor partnerships and digital infrastructure will shape security posture for years.

Building that security in from the start will be the difference between a transformation that strengthens systems and one that creates new vulnerabilities.

SecurityScorecard gives healthcare organizations the needed visibility to make those decisions with confidence. Our Supply Chain Detection and Response (SCDR) solution shows you exactly where third-party risk lives in your ecosystem, so you can build a secure foundation as you scale.

Download the 2025 Third-Party Breach Report for deeper insights into healthcare cybersecurity.