$50 Billion for Rural Health. Cybersecurity Is on the List.

On December 29, 2025, CMS announced that all 50 states had received awards under the Rural Health Transformation Program. The total allocation is $50 billion over five fiscal years, from FY2026 through FY2030, at $10 billion per year. It is the largest dedicated rural health investment in US history.

Most of the early coverage has focused on telehealth expansion, AI adoption, and remote patient monitoring. Those are real priorities, and states are already funding them. But there is another eligible activity in the statute that has received far less attention: cybersecurity capability development.

For rural hospitals running aging infrastructure with limited IT staff, this is worth paying attention to.

What the program is

The Rural Health Transformation Program was authorized by Section 71401 of Public Law 119-21, signed into law on July 4, 2025. CMS administers it through its newly established Office of Rural Health Transformation, created on December 19, 2025, within the Center for Medicaid and CHIP Services.

The structure is state-led. Only the 50 US states are eligible applicants. States submitted applications to CMS between September 15 and November 5, 2025, and all 50 received awards. State allocations average approximately $200 million per year, ranging from $147 million to $281 million depending on rural population and need.

States then distribute funds to eligible rural health providers within their borders. There is no federal match requirement. Unlike the SLCGP, which requires a 40% non-federal cost share, the RHT Program is fully federal. States do not have to come up with matching dollars, and neither do the providers receiving the funds.

Who qualifies as a provider

The program defines eligible providers broadly. According to CMS, the following provider types can receive funds through their state:

• Rural hospitals
• Rural health clinics
• Federally qualified health centers (FQHCs)
• Behavioral health clinics
• Pharmacies
• Emergency medical services (EMS) providers
• Independent primary care and specialty physicians
• Allied health professionals

The common thread is rural. If your facility serves a rural community and falls into one of these categories, you are potentially eligible. The specifics depend on how your state chose to structure its program.

What the statute says about cybersecurity

Section 71401 lists ten eligible activity categories. States must select at least three. One of them authorizes funding for:

Providing technical assistance, software, and hardware for significant information technology advances designed to improve efficiency, enhance cybersecurity capability development, and improve patient health outcomes.

That language is broad. "Cybersecurity capability development" is not limited to a specific technology or system type. It covers assessments, tools, training, and infrastructure. For a rural hospital, that could mean a vulnerability assessment of externally facing systems, network segmentation between clinical and building infrastructure, endpoint protection for networked medical devices, or staff training on incident response.

States are already acting on it. CMS has confirmed that Maine and Utah are investing RHT funds in cybersecurity risk assessments, threat detection capabilities, and technical assistance for rural providers.

Why this matters for hospitals

Rural hospitals operate in a threat environment that has been escalating for years. The healthcare sector reported more ransomware incidents to HHS in 2023 than any other critical infrastructure sector. Small and mid-sized facilities are disproportionately targeted because they typically have fewer security resources and less tolerance for downtime. A hospital that loses access to its electronic health records or its building management systems cannot simply wait for restoration. Patient safety is at stake.

At the same time, most rural hospitals have never had the budget for a dedicated cybersecurity assessment, let alone a remediation program. Their IT teams are small, often shared with other departments, and focused on keeping clinical systems running. Security improvements compete with every other capital need in the facility.

The RHT Program changes that calculus. With no match requirement and state-level administration, the funding is more accessible than most federal grant programs. A rural hospital does not need to write a standalone federal grant application. It needs to work with its state to access an allocation that already exists.

How the funding flows

The application process does not work like a traditional competitive grant. Here is how it is structured:

1. States received their awards from CMS. All 50 states were awarded funds on December 29, 2025. Each state developed its application in collaboration with its state health agency, state Medicaid agency, Office of Rural Health, tribal affairs office, and Indian health care providers.
2. States distribute to providers. Each state determines how to allocate funds across eligible provider types and activities. Some states are running sub-grant programs. Others are contracting directly with service providers on behalf of rural facilities.
3. Administrative costs are capped at 10%. At least 90% of each state's allocation must go to direct services and provider support.
4. Unused funds carry forward. If a state does not spend its full annual allocation, the unused portion carries forward through the second succeeding fiscal year. After that, CMS redistributes it.

The practical implication: if your state has not yet stood up its cybersecurity-related sub-grant process, the money is still there. These are five-year allocations, not one-time windows. But states that move early will set the pattern for how funds are distributed in subsequent years.

What hospitals should do now

If you operate a rural hospital or health clinic and you have not looked into your state's RHT Program yet, here is where to start:

1. Contact your state's Office of Rural Health. Every state has one. They were required participants in the RHT application process and will know how the state is distributing funds, including whether cybersecurity is one of the selected activity categories.
2. Find out which activities your state selected. States chose at least three of the ten eligible activities. Not every state selected cybersecurity. If yours did, ask how to access those funds. If it did not, the information still matters for future fiscal years.
3. Document your cybersecurity gaps. Whether you are applying through your state's RHT process or another program, the strongest funding requests are backed by evidence. A vulnerability assessment that identifies specific, verifiable exposures gives your state administrator exactly what they need to justify the expenditure.

The money is already allocated to your state. The question is whether your facility shows up with a documented need before the funds are committed elsewhere.

How this compares to other programs

The RHT Program is not the only federal funding source for hospital cybersecurity, but it has structural advantages over the alternatives.

• SLCGP ($1 billion over four years, CISA/FEMA): Hospitals can access this through local government partnerships, but it requires a 40% non-federal match and is not healthcare-specific. The RHT Program has no match requirement.
• Small Rural Hospital Improvement Program (SHIP) (HRSA, ~$13,500 per hospital per year): Explicitly covers cybersecurity assessments and training, but the per-facility amount is small. Good for initial assessments, not for remediation projects.
• UPGRADE Program (ARPA-H, $43-50 million): Focused on research and development of automated vulnerability mitigation tools for hospitals. Funds flow to research institutions, not directly to hospitals.

The RHT Program sits in a different category. The scale is larger, the match requirement is zero, and the eligible provider list is broad. For a rural hospital that has never had cybersecurity funding, this is the most accessible path available right now.

Where Sentinel OT fits

We work with critical infrastructure operators to identify externally observable cybersecurity exposure and deliver the documentation needed to act on it. Our assessments cover IT and OT infrastructure, including the building management systems, networked medical devices, and control networks that hospitals depend on.

For hospitals pursuing RHT cybersecurity funding through their state, we provide the evidence that justifies the expenditure: a verified vulnerability assessment that identifies specific exposures, maps them to known CVEs, and scopes the remediation work. That assessment becomes the foundation for a funding request, a remediation plan, and an ongoing monitoring program.

If your state selected cybersecurity capability development as one of its RHT activities, the funding path is shorter than you think. The first step is understanding what is exposed.