Small and rural healthcare organizations face numerous challenges that larger facilities often manage more effectively. Failure to address these issues could lead to their closure.

One significant challenge is uncompensated care. Coupled with rising operational costs and declining reimbursements, many rural health systems find themselves financially vulnerable, fearing they may be on the verge of closure.

Another pressing issue is cybersecurity. Costly data breaches can threaten the existence of some facilities, and small hospitals are often prime targets for cybercriminals. This is a challenge that many cannot tackle alone.

Consider this challenging cycle:

• Workforce shortages and rising labor costs necessitate investments in technology to manage overall operating expenses.
• However, new software and IT platforms introduce additional network security risks, requiring further investments in cybersecurity to protect against malicious actors.
• If a cyberattack occurs, recovery costs can escalate, along with potential fines from regulatory bodies for failing to safeguard patient data.

These issues pose significant challenges for small providers, compounding existing workforce and resource difficulties.

Fortunately, there are affordable technology strategies that can help mitigate these vulnerabilities, ensuring providers can continue to deliver quality patient care while securing their data.

Recently, we spoke with Chris Stenglein, CEO of Curae, a company specializing in healthcare financing technologies. He shared insights on how rural healthcare providers can navigate these challenges while remaining profitable.

We also consulted George Pappas, CEO of Intraprise Health, about how small health systems can enhance their cybersecurity by pooling IT and security resources and hiring lower-cost virtual security officers.

Both experts emphasized the importance of collaborative approaches to achieve cost-efficiency and bolster cybersecurity.

Financial Struggles

The financial challenges are particularly severe for rural emergency hospitals (25-50 beds) that do not receive the same federal support as critical access hospitals (25 beds and below), according to Pappas.

When Medicaid cuts affect care access, providers in rural and underserved areas are compelled to explore alternative solutions for uncompensated care, as noted by Stenglein.

State Medicaid regulations further complicate the financial stability of rural providers, as high eligibility thresholds can significantly reduce reimbursements for many patients.

Consequently, patients have become the largest single payer in healthcare, as Stenglein pointed out.

“We hear from CFOs, CEOs, revenue cycle managers, and patient access coordinators that patients continue to defer care,” he stated.

Addressing the affordability gap, worsened by COVID-19, has led hospitals to connect patients with payment sources, helping providers sustain their care services.

Reducing a rural health system’s uncompensated care by 10-20% could prevent permanent closure, according to Stenglein.

Curae’s cost recovery platform for Federally Qualified Health Centers (FQHCs) and acute care providers utilizes various data sources to link patients with potential payment opportunities and automates billing communications.

Cost-Containment Challenges

Stenglein explained that the platform explores all eligibility avenues, identifies insured patients mistakenly classified as self-pay, conducts Medicaid eligibility checks, and simplifies access to charitable funding sources, while also offering self-pay financing options.

“Unbanked and undocumented individuals” can receive approvals, and provider customers see returns ranging from 10% to 30% on their uncompensated care levels.

For patients applying for either a two-year, interest-free plan or a five-year, interest-bearing plan, an average of 80-94% are approved.

One multi-state health system operating numerous rural hospitals generated over $100 million in transactions from 90,000 applicants, with a 93% approval rate.

As patients pay down their balances, they can utilize their remaining credit limits across most acute and ambulatory services, according to a patient administration support specialist from the organization.

Stenglein emphasized that bridging the affordability gap and encouraging patients to seek timely care requires a data engine to streamline the complex processes of charity care, philanthropic resources, and free drug programs.

These processes are often “archaic and paper-based,” he noted.

With an automated platform connecting patients to healthcare payment resources and assisting uninsured patients in finding affordable insurance programs, providers can avoid increasing labor costs and burdens.

Collaborative Security Solutions

Many smaller hospitals fail to implement basic cybersecurity practices, such as managing privileged accounts, enforcing multi-factor authentication, or conducting regular vulnerability scans and timely patching, according to Pappas.

Community hospitals using smaller electronic health record (EHR) systems frequently encounter these issues.

“I’ve witnessed this firsthand,” Pappas remarked. “They share common instances because cloud computing has been around for a while. How secure is it? How effective is the partitioning and user responsibilities?”

Significant progress can be achieved with relatively small investments. Federal programs, such as Microsoft’s and other tech companies’ outreach initiatives, have demonstrated this.

However, while many offer temporary discounted access to better assessment and remediation products, the long-term sustainability and consistent oversight for addressing vulnerabilities will remain a challenge for rural providers.

Pappas stressed the importance of joining collaboratives like Health Center Controlled Networks (HCCNs).

These groups support the adoption of EHRs, enhance data sharing, and provide shared licenses and operational support to members, including common infrastructure services.

The concept behind FQHCs and HCCNs is to enable small healthcare providers to access high-quality, well-resourced support for both front- and back-office operations—support they would struggle to build and manage independently.

OSIS, which serves over 100 health centers across 32 states, exemplifies this model.

To assist members with annual security risk analyses for HIPAA compliance, OSIS implemented an automated tool called HIPAA One, which increased the completion rate of security risk assessments (SRAs) by 83.9% in the first year.

This improvement indicates that “without centralized support from organizations like OSIS and tools like HIPAA One, individual medical practices often struggle to complete their SRAs,” Pappas explained. “Many either skip them entirely or abandon the process midway due to limited understanding, time, or financial resources.”

The shared tool not only helped OSIS members identify and address security issues but also saved them compliance time. With many SRA questions prepopulated in the HIPAA One platform, “when a health center logs into its local version, over half of the questions are already filled out,” he added.

With a centralized view of progress, OSIS can prioritize where support is needed across its membership and allocate resources to address the highest risks.

“Ultimately, this turns security from a once-a-year compliance exercise into an ongoing conversation,” Pappas stated.

While individual hospitals remain responsible for their security posture, the HCCN model allows for resource pooling to share Security Operations Centers and purchase penetration testing and other tools that alleviate security operations burdens.

Virtual Chief Information Security Officer (vCISO)

Another effective cybersecurity strategy for rural providers is the implementation of a virtual chief information security officer, according to Pappas. Intraprise offers a range of cybersecurity services, including vCISOs.

In this model, a trained cybersecurity professional oversees security practices and protocols across multiple hospitals and health systems. With remote accountability, they can nurture security programs and prioritize necessary fixes.

While Microsoft’s rural vulnerability assessment program has been beneficial, Pappas questioned, “Why don’t they make all those advanced features available on a more permanent basis, perhaps through a nonprofit program?”

After a healthcare organization utilizes the Microsoft program assessment and a one-year 75% discount on security products for system remediation, “someone must supervise the fixes,” he noted.

“How can that be made more available on a sustained basis? That’s a conundrum the industry will face when the assessment and discount program concludes.”

While automation and AI technologies could enhance endpoint detection and remediation capabilities for rural hospitals with significant vulnerabilities due to outdated technology, AI alone cannot manage cyber hygiene.

“Remediation tracking cannot be fully automated,” Pappas stated. “A person with accountability must oversee the outstanding issues that need resolution.”

A vCISO can help keep cybersecurity defense at the forefront of an organization’s leadership, in addition to detecting and preventing cyber threats in various ways.

“Someone who doesn’t work on-site can perform much of this job remotely,” he explained.

If rural organizations leverage resources like virtual CISOs and HCCNs to enhance their security postures and operations, they may not only avoid closure but also improve their margins, attract more patients, and enhance health outcomes.

Andrea Fox is the senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.