Cybersecurity is no longer just an IT concern. For rural hospitals, it is a community issue.
In a recent episode of The CereCore Podcast, Phil Sobol spoke with Chris Riha, Senior Cybersecurity Advisor at CereCore, about the growing cyber gap facing rural and resource constrained hospitals.
Chris brings an operator lens to the conversation. Before moving into advisory work, he spent more than 14 years inside Carilion Clinic leading clinical systems and medical device security. Earlier in his career, he supported the US Army Medical Department and worked with MITRE, where security expectations were rigorous and non negotiable. That background shapes how he thinks about preparedness and resilience.
.png)
One of the most dangerous assumptions rural leaders can make is believing their organization is too small to attract cybercriminals.
Chris explains that no organization is too small. In fact, limited staffing and budgets can make smaller hospitals more attractive targets. Threat actors understand that many rural facilities operate with lean teams and limited cybersecurity specialization.
He shared the story of a critical access hospital that experienced a cyber incident. Thanks to strong backups and planning, they were able to recover. But they were offline for days. In rural communities, that can mean patients traveling long distances over difficult terrain just to receive care.
Cyber incidents ripple far beyond the IT department. They affect patients, clinicians, and entire communities.
In many rural hospitals, leaders wear multiple hats. Chris described an organization where a single IT staff member worked for three straight days during a cyber incident while community members stepped in to help care for his child.
That spirit of community is inspiring. But it also highlights a vulnerability.
Cybersecurity cannot rely on one person.
Hiring a full time CISO is often unrealistic for smaller hospitals. The budget may not support it. The talent pool may not exist locally.
That is where a fractional CISO model can help.
Instead of relying on one external advisor, hospitals gain access to a broader bench of expertise. Strategic guidance, policy development, board reporting, tabletop exercises, remediation planning, and ongoing advisory support can be delivered on a scaled basis.
Chris emphasizes that this approach is not about replacing internal teams. It is about extending their capacity and filling skill gaps in a practical, affordable way.
One of the most cost effective steps organizations can take is running tabletop exercises.
These structured simulations walk leadership teams through a realistic cyber scenario such as ransomware. They test policies, communication plans, escalation pathways, and decision making in a safe environment.
Beyond identifying gaps, tabletop exercises create something even more important: muscle memory.
When teams have practiced their response, a real incident becomes more manageable. Auditors also increasingly expect evidence that policies are being tested regularly.
Rural hospitals face intense financial pressure. But cybersecurity investments do not always have to come entirely from operating budgets.
Chris described how CereCore works with hospitals to identify funding opportunities through state and federal programs, including rural health transformation initiatives and telecommunications grants.
Many hospitals simply do not have the time or expertise to navigate these programs alone. Having a partner who understands both the technical requirements and the funding landscape can accelerate progress significantly.
Chris offered simple advice for leaders:
Stay engaged.
Make sure there is a plan.
Test that plan.
Cybersecurity is not solely an IT issue. It is an organizational and governance responsibility. Boards want assurance that a strategy exists. Communities depend on it.
Preparation does not eliminate risk. But it dramatically reduces the damage when an incident occurs.
Learn how a cyber advisor brought new hope to an organization without a dedicated security official. See the case study.
Learn more on how cybersecurity ambassadors at your organization strengthen your first line of defense. Get the program details.
Don't miss an episode of insights from healthcare IT leaders and experts. Subscribe to the podcast on Spotify or Apple Podcasts. Share what you've learned with your network, too.
