Article

RHT Program funding enables rural cyber modernization at a critical juncture

Time-sensitive grants can align tech modernization with cyber risk reduction

July 07, 2026

Key takeaways

RHT funding allows rural providers to drive measurable cybersecurity improvements.

Early planning improves competitiveness, as states award funds based on outcomes and timelines.

Cyber investments should be rightsized, auditable and sustainable after grant funding ends.

#
Health care

The Rural Health Transformation Program (RHT Program) creates a time-sensitive opportunity for rural providers to modernize technology and strengthen cybersecurity at the same time. In 2026, the Centers for Medicare & Medicaid Services announced first-year awards to all 50 states under a $50 billion, five-year initiative, with first-year awards averaging about $200 million (ranging from $147 million to $281 million). Leveraging a portion of available funds for cybersecurity improvements could help rural providers become more resilient. Providers that wait for states to finalize subaward mechanics before defining priorities may lose momentum—or miss funding windows—because the most competitive proposals are typically tied to clear outcomes, realistic timelines and a defensible budget.

Eligibility and participation

RHT Program funding is designed to help states and rural communities strengthen care access, workforce, technology and sustainability. For rural providers, it can also be a practical source of capital to reduce operational risk while modernizing delivery models. As organizations expand telehealth, remote patient monitoring, cloud services and their use of artificial intelligence, the attack surface grows—making cybersecurity a critical dependency for reliable patient care. The program recognizes this by identifying technology modernization and data security (including cybersecurity) as prioritized uses of funds.

By design, 50% of the total $50 billion is distributed equally among states with approved applications, helping ensure that every state has baseline capital to initiate transformation. The remaining 50% is awarded using a competitive, metrics-based approach.

Local governments, hospitals, universities, nonprofits, federally recognized Native American tribes and other organizations (including clinics and community mental health centers) may participate through subawards or partnerships via state funding. This structure enables rural providers to benefit from the program by collaborating with state agencies and community partners.

States, grantees, subgrantees and vendors receiving RHT Program funding should remain mindful of defined caps for administrative expenses, technology investments and facility renovations. These limits can apply at multiple levels of funding distribution. In addition, funds generally should not be used to pay for costs already covered in an approved budget (i.e., “supplanting”), which can create audit and repayment risk.

Why focus on cybersecurity?

Cybersecurity has become a top operational priority for rural providers. The Health Sector Coordinating Council (HSCC) notes that small and rural facilities can be especially vulnerable, and that connections to larger health systems and shared service providers can create pathways for attackers to reach bigger networks through smaller, less-resourced entities.

The 2023 Hospital Cyber Resiliency Initiative Landscape Analysis identified common gaps such as reliance on outdated hardware and software and inconsistent use of foundational security capabilities. For many rural providers, these conditions can increase exposure to ransomware and other disruptive events. Addressing them helps protect patient information, reduce downtime risk and sustain clinical operations.

Recommended cybersecurity strategies

The program’s technology innovation goal emphasizes efficient care delivery, secure data and expanded access to digital health tools. In practice, many eligible initiatives can be framed as encompassing both modernization and risk reduction by supporting remote care, improving data sharing, strengthening cybersecurity and involving adoption of emerging technologies.

RHT Program funding can support initiatives that improve efficiency and cybersecurity through software, hardware and information technology advances. Examples of grant-aligned cybersecurity investments include:

  • Replace legacy systems: Phase out unsupported operating systems and hardware that no longer receive security patches.
  • Modernize hosting and recovery: Migrate appropriate workloads to secure cloud services with stronger backup, disaster recovery and centralized security management.
  • Operationalize vulnerability management: Continuously identify, prioritize and remediate vulnerabilities fast enough to outpace evolving threats.
  • Strengthen identity and access: Reduce reliance on perimeter-based security by verifying users and devices and limiting access based on risk.
  • Improve detection and response: Enhance monitoring and alerting (including analytics) to spot anomalous behavior earlier and shorten time to contain incidents.
  • Build workforce readiness: Train clinical and administrative staff on phishing awareness, secure password practices and incident reporting to reduce human-driven risk.
  • Secure patient-facing systems: Strengthen authentication, encryption and monitoring for portals and other consumer-facing applications that support engagement and chronic disease management.

Planning considerations for grant-funded cybersecurity

When using RHT Program funding to support cybersecurity initiatives, rural health care organizations should consider:

Governance and leadership capacity: Ensure there is clear accountability for cybersecurity strategy, policy decisions and risk prioritization, especially when internal IT resources are limited.

Rightsized controls: Focus first on foundational defenses that meaningfully reduce risk, rather than pursuing overly complex programs that are difficult to sustain.

Identity and third-party exposure: Address common drivers of incidents, such as weak access controls and reliance on shared service providers, managed service providers or cloud vendors.


Integration with modernization efforts: Embed security into electronic health record migrations, cloud adoption, telehealth expansion and other transformation initiatives from the outset.

Sustainability beyond the grant: Select tools, contracts and operating models that can be supported after grant funding sunsets, based on realistic total cost of ownership.

Demonstrable outcomes: Align investments to measurable improvements—such as reduced downtime risk, faster recovery or improved detection—rather than one-time technology purchases.

Beyond the grant period

RHT Program funding runs through fiscal year 2030. Licenses, subscriptions, managed service contracts and cloud commitments started with grant dollars can become operating-cost obligations after the funding ends. Providers should model post-grant total cost of ownership before procurement—not after. A control that is later abandoned or downgraded can be worse than one never deployed, because the environment may have been redesigned around it.

Cyberthreats and regulatory expectations continue to evolve, and many organizations anticipate continued emphasis on stronger, more demonstrable safeguards. Grant-funded cyber investments should also account for procurement and compliance requirements (e.g., Uniform Guidance procurement standards) and for the realities of cyber insurance underwriting, which increasingly rewards effective, well-operated controls.

The takeaway

Now is the time for rural health organizations to turn grant funding into a clear, phased cybersecurity roadmap. The Rural Health Transformation Program offers a unique opportunity to pair modernization with risk reduction—helping protect patient safety, improve resilience and support higher-quality care for rural communities.

If your organization is considering RHT Program-funded modernization, start by defining priority outcomes (clinical continuity, downtime reduction, identity hardening, faster recovery) and the minimum security capabilities needed to support them. 

RSM contributors

  • Lenny Levy
    Managing Director
  • Jordan Underwood
    Senior Associate

Related insights

Cybersecurity and data privacy risk consulting

Contact our cybersecurity team to learn more.