Healthcare Cybersecurity Expert on Tactics for Rural Resilience

This podcast was originally published on FINN Voices “Real -World Cybersecurity Challenges Facing Rural Hospitals.” 

In a recent episode of FINN Voices, Ryan Finlay, Principal Chief Information Security Officer at CereCore, shared his expert perspective on the cybersecurity challenges facing rural hospitals. With over 25 years of experience in health IT security, Ryan brings a deep understanding of the vulnerabilities these facilities face—ranging from limited budgets and outdated infrastructure to staffing shortages and lack of internal expertise. These constraints make it difficult for rural providers to detect and respond to cyber threats, which can have serious consequences for both operations and patient care.

Ryan emphasized that many rural hospitals are not equipped to recognize breaches until it’s too late. When systems go down, the impact is immediate—clinical workflows are disrupted, and access to patient data is delayed. This is especially problematic for younger clinicians who may have never worked with paper-based records. To combat these risks, Ryan recommends proactive strategies like tabletop exercises, which simulate cyber incidents and engage leadership across departments. These exercises, especially when facilitated by cybersecurity experts who know healthcare, not only expose vulnerabilities but also foster a culture of preparedness and collaboration. 

Beyond simulations, Ryan advocates for a continuous, organization-wide approach to cybersecurity education. He recommends integrating awareness into daily operations through phishing simulations, internal newsletters, and even branded swag that reinforces best practices. One standout initiative is the Cybersecurity Ambassador Program, which empowers staff across departments to champion security practices and share knowledge with peers. “It’s one thing to have your security leader always preaching best practices,” Ryan said. “It’s another thing to have everyone in your organization doing it.” 

For rural hospitals that lack the resources to hire full-time cybersecurity executives, Ryan suggests leveraging virtual CISOs (vCISOs). These professionals offer flexible, strategic guidance and can assist with compliance, incident response, and long-term planning. He also encourages regional collaboration among healthcare providers to share insights and resources. “There’s no competition when it comes to cybersecurity,” Ryan notes. “It’s all about keeping our patients safe and our systems online.” His message is clear: cybersecurity must be a shared priority, led from the top and embraced across the organization.