By Russell Teague, CISO, Fortified Health Security
LinkedIn: Russell Teague
LinkedIn: Fortified Health Security
Rural care in America just got a once-in-a-generation opportunity, and a stress test. The Centers for Medicare & Medicaid Services (CMS) has launched the Rural Health Transformation (RHT) Program, a $50 billion, five-year initiative aimed at helping states reimagine rural care delivery. Half of the money is distributed evenly across approved states; the other half is awarded based on the state’s need and the strength of its plan. Applications are due in early November 2025, awards are by December 31, and dollars begin flowing with FY2026. That’s a sprint for states, and a small window for rural providers to influence how their state prioritizes cybersecurity, technology, and workforce.
The CMS Rural Health Transformation Program at a Glance
What’s good here is real flexibility. CMS is asking states to submit a single, multi-year transformation plan that hits at least three approved use-of-funds categories—spanning prevention and chronic disease management, sustainable access to care, workforce development, innovative care, and technology/IT. Crucially for security leaders, allowable investments include “significant information technology advances” that improve efficiency, enhance cybersecurity capability, and support patient outcomes. This isn’t checkbox spending; CMS expects measurable outcomes, sustainability beyond the grant period, and credible stakeholder engagement.
There’s also a governance backbone that providers should welcome. CMS is treating these as cooperative agreements with substantial federal involvement, annual reporting, and a 10% cap on state administrative costs. Funds can’t be used to replace reimbursable clinical services, and unused dollars are clawed back or redistributed. Translation: States must select investments that move the needle and withstand audit scrutiny, and providers must be prepared to demonstrate impact and ongoing viability.
The Hard Truths: Time, Money, and Distribution
Now the hard truths. First, the clock. There is only one application period, now through early November 2025. States that miss, lose out. Even for states that file, the practical question is whether they can quickly establish fair and transparent processes to identify sub-recipients and projects, while meeting CMS’s expectations for measurable outcomes by FY2026. Many will turn to existing mechanisms and advisory boards; some are already doing so. But the time to shape priorities is measured in weeks, not quarters.
Second, the math. While $50 billion is a substantial amount, it is spread across five years and fifty states and must compete with structural financial pressures, especially in markets exposed to reimbursement changes. Independent analyses have already warned that the RHT fund, while helpful, won’t fully offset broader cuts and cost pressures facing rural providers. Providers should see this program as catalytic capital for transformation, not a rescue from ongoing margin compression.
Third, uneven distribution is by design. The statute and CMS policy split funding into two categories. Half is split evenly among all approved states; the second half is awarded based on factors such as each state’s rural population share, rural facility footprint, and the “situation of hospitals” in the state. This means the size of your state’s award will depend on both its objective need and the quality of its application, and the most competitive plans will be those that marry data-driven rural health needs with credible, shovel-ready initiatives.
What about distribution inside a state? CMS is leaving room for states to design their pass-through processes, so long as they describe the “process and criteria for selecting sub-recipients, contractors, or subcontractors” in their application and follow federal award rules. Expect states to publish criteria and timelines quickly after award, often leveraging existing grant rails, rural hospital financial analyses, and statewide health data assets to rank needs and allocate funds. Providers should be prepared to compete based on documented need, readiness, and potential measurable outcomes.
Where the Risks Really Lie
Where the risk really lies is in three places: misalignment, immaturity, and maintenance. Misalignment occurs when hospitals pursue flashy tools that fail to connect to measurable outcomes, such as avoidable admissions, time-to-treatment, care continuity, or well-defined cyber risk reduction. Immaturity bites when early projects lack governance: no product owner, no change control, no data protection impact assessment, no supplier risk evaluation. Maintenance failure emerges two years later, when grant funds taper and organizations are left with unfunded software renewals, unsustainable staffing, or complex cloud estates that they can’t monitor.
A Secure-by-Design Approach to Transformation
So, what’s the common-sense approach from a cybersecurity perspective?
Start with a “secure-by-design” blueprint that is boring in the best way. Before discussing tools, articulate how your initiative will mitigate specific patient safety risks (e.g., downtime in the ED due to ransomware; diversion events resulting from imaging PACS outages) and how it will measurably improve operations (e.g., faster throughput via identity modernization; fewer denials via clean claim data integrity). Anchor that blueprint to controls you can actually implement and sustain—MFA everywhere, EDR and managed detection with 24×7 response, Connected Medical Device Management, Network Detection & Response (NDR), immutable backups with periodic restore tests, least-privilege identity, and micro-segmentation for critical clinical systems. Then specify the data you will collect to prove impact over time. Funders are asking explicitly for outcomes and sustainability.
Target cyber-adjacent investments that drive double benefit—security plus clinical reliability. Think identity and access modernization to reduce fraud and speed clinician login; secure remote monitoring to extend reach while enforcing device posture and encryption; network modernization that pairs micro-segmentation with QoS for tele-stroke and tele-psych; and cloud modernization that adds secure log pipelines for faster security alert triage, threat hunting, and incident response. These are each tied to RHT’s permitted uses, specifically around technology-enabled solutions and “significant IT advances,” aimed at improving efficiency, security, and patient outcomes.
Treat vendors like sub-recipients—because the federal government will. Even if funds flow through the state to your hospital and then to a partner, federal award terms flow down. Build a lightweight but real third-party risk process: attestations to control frameworks, software bill of materials for critical systems, breach notification SLAs, right-to-audit, data location constraints, and validated incident response runbooks. CMS’s FAQ is explicit that states must document the criteria and process for choosing sub-recipients and contractors; align to that expectation now so you’re not rebuilding governance under a deadline.
Engineer for the glide path off grant dollars. More RHT projects will fail in year three than in year one if we don’t plan for the total cost of ownership. Build a three-to-five-year pro forma for each initiative, including licenses, SOC services, cloud egress, refresh cycles, and training; show the absorption of ongoing operating costs through savings (e.g., consolidation of redundant tools, reduced downtime, lower cyber insurance premiums, fewer traveler staff hours due to better workforce retention). CMS will not fund perpetual operating expenses or duplicate other reimbursements; therefore, sustainability language should be front and center in your proposals.
Move immediately on state engagement. There is one shot to influence the 2025 application and early 2026 allocations. Identify your state’s lead agency (often the Medicaid agency) and any RHT advisory structures; many states are convening hospitals, associations, and health information offices right now and borrowing existing grant infrastructure to move fast. Bring concrete, scored proposals that meet at least three statutory categories, include rural beneficiary impact, and demonstrate measurable outcomes in 12–24 months. Our experience is that specificity, down to milestones, data sources, and vendor commitments, wins scarce transformation dollars.
Finally, keep equity and “most-in-need” at the center. Expect states to prioritize using a mix of rural census tract data, hospital financial distress indicators, workforce shortages, and service-line vulnerabilities (OB, trauma, behavioral health). If you serve high-need geographies or operate critical access hospitals, document that clearly. The federal factors shaping state allotments, rural population share, the proportion of rural facilities, and the hospital situation, foreshadow the criteria many states will echo when pushing funds down to providers. Put your evidence on the table.
From Opportunity to Lasting Impact
RHT is not a panacea, but it is a serious opportunity to align cybersecurity with patient safety and operational resilience in rural America. If we treat this as transformation capital, not a patch for operating losses, we can strengthen the clinical backbone of rural health systems, reduce the impact of inevitable cyber events, and measurably improve access and outcomes. The window is short. The bar is high. However, the path is clear: select outcomes that matter, develop secure-by-design programs that you can sustain, and engage your state now with detailed, data-driven proposals. That’s how we convert a headline into durable care for rural communities.