Hospitals in Arkansas and beyond face a two-pronged threat from cybercriminals these days: As attacks keep increasing, the health care industry is struggling to find cybersecurity experts to stem the tide.
“Over the last year, we’ve seen … attackers going after not just individual hospitals or even hospital systems, but also some of the larger critical infrastructure in the health care system as well,” said Dr. Jeffrey Tully, co-director of the University of California San Diego Center for Healthcare Cybersecurity. “There are groups of cybercriminal gangs that focus on this type of business.”
Data theft and ransomware attacks against health care and related third-party providers “appear to be unfolding at the same elevated rate as in 2023, which was the worst year ever for breaches in health care,” said John Riggi, national adviser for cybersecurity and risk for the American Hospital Association. Riggi issued that warning Oct. 7 on the association’s website. “The scope and impact of this year’s breaches, however, have been much more profound.”
The Arkansas Hospital Association has been hosting meetings of a Cybersecurity Alliance since August 2023. Chief information officers from about 30 hospitals gather once a month to “go over a variety of different issues that they’re seeing in regards to internal security, cybersecurity insurance and the likes of that,” said Donald McCormick, AHA’s director of analytics and financial policy.
Attacks are rising because health care organizations hold a wealth of personal data in health records and payment information, “which makes a ripe haul for hackers to grab and sell on the dark web,” said Leslie Taylor, the spokeswoman for the University of Arkansas for Medical Sciences in Little Rock. “They can get a lot more for this data than with stolen credit card information.”
In July, behavioral health care provider Arisa Health Inc. of Springdale reported that 375,436 individuals were affected in a data breach caused by a hacking/information technology incident, according to the U.S. Department of Health & Human Services Office for Civil Rights.
Arisa Health declined to comment.
In 2024, eight Arkansas companies reported health care data breaches of 500 or more records, up from four the previous year.
Cybercriminals also cash in by infecting health care computer systems with ransomware. “We, as researchers, think of health care ransomware attacks as a matter of when and not if,” Tully said.
Taylor noted that patient safety requires hospitals to avoid extended disruptions that ransomware can wreak. “This leads to many health care organizations paying the ransom, and in turn that leads to more attack attempts against the industry,” Taylor said in an email exchange.
In fact, most health care companies report being victimized. A survey of 402 health care companies found that 67% were hit with a ransomware attack in the previous 12 months, according to a report from Microsoft released in October. Titled “US Healthcare at Risk,” the report found that 53% of the companies paid the ransoms in 2024, up from 42% in 2023. The average ransom payment was $4.4 million.
Finding Workers
Finding workers to stop the cyberattacks is challenging for hospitals.
As of last week, Arkansas had 3,053 cybersecurity job openings and 7,152 total employees in the cybersecurity workforce, according to CyberSeek, a website that provides information about the cybersecurity job market.
“Finding high-quality IT staff, or even finding an average IT staff, can sometimes be daunting, especially when you’re thinking about some of these really, really rural areas,” the AHA’s McCormick said.
An average IT director will make between $85,000 and $120,000 annually, plus benefits.
With two to five IT worker, a typical rural hospital that might have an annual net patient revenue of $15 million to $20 million “could be seeing between $750,000 to $1.5 million going directly to cybersecurity endeavors to make sure the network is secure,” McCormick said.
In addition to hiring IT professionals, hospitals face other costs tied to cybersecurity, including cyber liability insurance.
Some rural hospitals have hired vendors to handle their IT work or searched for grants or other funding streams to pay for it.
“There is a very real possibility that in lieu of being able to find funding for that, that some services might have to be reduced or eliminated to cover some of these costs,” McCormick said. “It is very real that some of these costs get very, very high, and that it could impact the service availability due to a lack of funding.”
Patient Care at Risk
At the AHA’s Cybersecurity Alliance meetings, members home in on particular challenges. McCormick said members have conducted exercises with the federal Cybersecurity & Infrastructure Security Agency.
“They went through scenarios for what would happen in different cybersecurity instances like ransomware,” and how the hospital would then access its electronic records, he said.
“But most of what we’re seeing from a cybersecurity event occurring occurs via the third-party providers,” he said.
In February 2024, a cyberattack on health care billing and payment clearinghouse Change Healthcare Inc. of Nashville, Tennessee, squeezed cash flow to hospitals and prevented dozens of physicians and pharmacists from collecting millions of dollars’ worth of claims for months.
After a health care provider is hacked, “there’s really three kinds of insults and injuries that are experienced all at once,” Tully said.
First, he said, when a cyberattack collapses a hospital’s billing system, the hospital can’t submit patient claims to get paid, resulting in a loss of operational funding.
Then there could be regulatory fines, followed by class-action lawsuits from patients who have had their records stolen.
Tully said that there are “very large financial impacts that can affect these institutions.” He cited the case of a rural hospital in Illinois that closed in 2023 after it experienced a ransomware attack in 2021.
Patient care also could suffer if a hospital’s electronic medical record is locked by cybercriminals.
Patient care also suffers from ransomware attacks.
They are “designed to shut down vital systems and cause maximum delay and disruption to patient care,” said Riggi, of the American Hospital Association. “They not only threaten the safety of patients in the hospital, but their effects cascade throughout the entire community and every hospital, clinic and emergency department in the surrounding region.”
Breaches of Unsecured Protected Health Information Affecting 500 or More People Since Jan. 1, 2023
Name |
City |
Covered Entity Type |
Individuals Affected |
Breach Submission Date |
Type of Breach |
Location of Breached Information |
| Arisa Health Inc. | Springdale | Health care provider | 375,436 | 7/19/2024 | Hacking/IT incident | Network server |
| Regional Family Medicine | Mountain Home | Health care provider | 80,166 | 12/12/2023 | Hacking/IT incident | Network server |
| Highlands Oncology Group PA | Fayetteville | Health care provider | 55,297 | 12/22/2023 | Hacking/IT incident |
Desktop computer, network server
|
| Pocahontas Medical Clinic PA | Pocahontas | Health care provider | 31,216 | 8/6/2024 | Hacking/IT incident | Network server |
| AllCare Pharmacy | Arkadelphia | Health care provider | 16,341 | 11/29/2023 | Hacking/IT incident | Network server |
| Tri County Medical Supply & Respiratory Services Inc. | Salem | Health care provider | 8,000 | 10/16/2024 | Improper disposal | Paper/films |
| Methodist Family Health | Little Rock | Health care provider | 5,259 | 5/3/2023 | Hacking/IT incident | Network server |
| Baptist Health Medical Center-Drew County | Monticello | Health care provider | 5,207 | 8/30/2024 | Hacking/IT incident | Network server |
| 1st Choice Home Care | Paragould | Health care provider | 2,700 | 5/8/2024 | Unauthorized access/disclosure |
Electronic medical record
|
| Walmart Inc. | Bentonville | Health care provider | 1,267 | 6/14/2024 | Unauthorized access/disclosure | Network server |
| Arkansas Blue Cross & Blue Shield | Little Rock | Health plan | 633 | 10/22/2024 | Hacking/IT incident | Network server |
| EngageMED Inc. | North Little Rock | Business associate | 500 | 8/30/2024 | Hacking/IT incident | Network server |
Notes: These are all breaches reported by companies based in Arkansas within the last 24 months that are currently under investigation by the Office for Civil Rights. (Source: U.S. Department of Health & Human Services Office for Civil Rights)
Sign up for Daily E-news
![979 E. Robinson Ave. in Springdale was destroyed in a tornado in 2022. [Google Maps]](https://arkansasbusiness.wppcdn.com/wp-content/uploads/2025/02/Screenshot_2025-02-03_at_11.51.42_AM_opt-150x150.jpg)
![Uniti Group Inc. headquarters in Little Rock. The Uniti-Windstream merger was valued at $13.4 billion. [Emma Mayes]](https://arkansasbusiness.wppcdn.com/wp-content/uploads/2025/02/071524_7_opt-150x150.jpg)
