Your Security Awareness Program Assumes a Human Gets It Right. Here Are Four Controls That Don't.

A nurse stares at a monitor in a dimly lit room

In May 2024, one of the largest health systems in the United States went to paper.

Ascension, a nonprofit network of more than 140 hospitals, detected a ransomware attack that knocked out its electronic health records, its MyChart patient portal, and the systems clinicians used to order tests, procedures, and medications. Staff charted by hand. Non-emergent procedures were paused. Ambulances were diverted to other facilities. The incident ultimately involved the protected health information of roughly 5.6 million people, and the initial access vector, in Ascension's own words, was an employee who accidentally downloaded a file they believed was legitimate. Ascension called it an honest mistake, and there is no reason to doubt that. One honest mistake took a national health system to paper for weeks.

This article is about IT compliance and cybersecurity for Critical Access Hospitals, and specifically about a question every rural facility should be able to answer: what happens in your environment when one of your people gets fooled? Not if. When.

Because here is the uncomfortable part for a rural facility. Ascension had a security team. Ascension had budget. Ascension had an awareness program. A two-person IT shop at a 25-bed hospital has a fraction of all three, and the same human beings clicking the same links.

The Playbook, Start to Finish

The trouble with learning from a health care breach is that most of them never become fully public. The organization discloses what the law requires, settles, and the operational detail stays sealed. We rarely get to see the whole attack from initial access to keys to the kingdom laid out on a record.

Which is why it is worth looking across the Atlantic for a moment, at a case that did go through open court.

On July 16, 2026, at Woolwich Crown Court, Owen Flowers and Thalha Jubair were each sentenced to five and a half years in prison for the 2024 cyber attack on Transport for London. They were 18 and 20 years old. They were not a nation-state and they did not burn a zero-day. They talked their way in. Both were members of the collective known as Scattered Spider, whose signature is social engineering against the people who hold the keys: impersonating employees, working the service desk, getting a password or an MFA device reset by a human who was just trying to be helpful. From there they escalated to what prosecutors called the highest privileged access in the environment, created a domain administrator account, and moved laterally. The bill: £29 million to remediate, more than 140 systems rendered inoperable, and all 27,000 employees required to physically report to an office to reset their passwords in person, because the organization could no longer trust its own identity system to tell it who was who.

And in case anyone reads that as a European problem: Flowers also admitted conspiring to attack SSM Health and Sutter Health, two American health systems. The same group, the same tradecraft, aimed squarely at US health care. The London case is simply the one where we get to see the entire playbook on the record, and the playbook works exactly the same on a hospital in Nebraska as it does on a transit authority in London.

The lesson from both incidents is the same. Every defense above assumed a human being would be awake, alert, and correct at the exact moment of contact. The attackers only needed one moment where that wasn't true.

The Uncomfortable Math on Awareness Training

We are not here to tell you to stop doing phishing simulations. Do them. They work. Trained staff do report more and click less.

But understand what kind of control you are buying. Awareness training is a control that only functions when a person is paying attention. That person has a patient in front of them. That person is on hour ten of a twelve. That person got two hundred emails today and it's 4:45 on a Friday. Your awareness program is asking a tired human to win, every single time, against an attacker who only has to win once.

And the attacker's side of that equation just changed.

Researchers running a controlled human-subjects study on automated spear phishing found that generic phishing emails drew a 12 percent click-through rate. Emails crafted by human experts drew 54 percent. Fully AI-automated spear phishing, with no human in the loop at all, also drew 54 percent (Heiding et al., arXiv). That was a controlled experiment rather than a live workplace, so treat the exact percentages as directional. The direction is the point. Microsoft's 2025 Digital Defense Report, measuring across its own telemetry, put the effect at roughly 4.5 times more likely to be clicked.

Read that middle number again. The machine is now as good as the expert. The expert costs money and sleeps. The machine costs pennies per message and does not.

The old advice, watch for bad grammar and awkward phrasing, is dead. It was training people to detect a tell that no longer exists. The tell was that phishing was expensive to personalize, so most of it wasn't. That constraint is gone.

So: keep the training. But stop treating it as the control. Treat it as the last line, and go build the four lines that sit in front of it.

Control 1: Filter Before the Human Ever Sees It

The most reliable way to survive a phishing email is for it never to arrive.

This is where an AI-driven inbound filter earns its keep, because it is fighting on the same terms. It does not get tired at 4:45 on a Friday. It evaluates every message against context, sender behavior, and intent rather than against a static blocklist that was current last Tuesday. It is a watcher on the wall that works the same at 3 a.m. as it does at 3 p.m.

visuaFUSION Systems Solutions is an official Trustifi Partner, and Trustifi Inbound Shield is included in the Trustifi Core Suite we make available to rural health care organizations at exclusive pricing. The same suite handles contextually aware outbound encryption, which is a separate problem most facilities are also solving badly. If you are still relying on a rule that flags external senders and hoping for the best, our Email HIPAA Compliance Guide covers where that approach falls apart.

Control 2: The Windows Vista Floor

Here is the part nobody wants to hear.

Windows Vista shipped in 2006. It shipped with User Account Control on by default. It shipped with Windows Firewall on by default. That was twenty years ago.

We still walk into rural health care environments where:

  • UAC has been turned off across the fleet, usually because one line-of-business application complained about it in 2013 and someone made it a domain-wide policy
  • The Windows Firewall is disabled on workstations and servers
  • Windows updates are months or years behind, with no consistent deployment mechanism
  • Antivirus is installed but has not pulled a definition update in weeks, and nobody is watching a report that would say so
  • Every clinical user is a local administrator on their own workstation
  • The IT staff use their domain admin account to read email, sit in Teams meetings, and browse the web

That last one is the TfL scenario with the safety off. If your admin account is the same account that opens attachments, then the phishing email and the domain compromise are the same event. There is no gap between them. Separate accounts are the difference between a bad afternoon and a £29 million afternoon.

Getting the whole list above right, consistently, across every workstation and server, and then keeping it right as machines come and go, is exactly what a managed Systems Management function is for. It is unglamorous, it is continuous, and it is the part that quietly falls behind when one person is also the help desk, the network admin, and the HIPAA Security Officer.

None of this is exotic. This is the floor. HIPAA's Security Rule addresses procedures for guarding against malicious software at 45 CFR 164.308(a)(5)(ii)(B), access management at 45 CFR 164.308(a)(4), and technical access controls at 45 CFR 164.312(a). A quick word on that first one, because it trips people up: malicious software protection is an Addressable implementation specification, and Addressable does not mean optional. It means you either implement it or document a reasoned decision not to, and unique user identification under 164.312(a)(2)(i) is Required outright. A shared admin account that browses the web is not a defensible answer to any of them.

On the patching side specifically, we wrote up what the regulation actually requires and what it doesn't in HIPAA Software Patching Requirements, including how to handle the vendor who tells you their system can't be patched.

We do not fix this by moving you to the cloud. We fix it in the environment you have. On-premises Active Directory, managed properly, is a perfectly good place for a rural hospital to be.

Control 3: Application Control

Assume the email got through. Assume the user clicked. What runs?

Application whitelisting answers that question in advance. AppLocker lets you define what is permitted to execute, and everything else simply does not run. Not blocked after the fact by a signature that has to already exist. Not run. The user can click the attachment all day.

The objection we hear from a 25-bed facility is always the same, and it is a fair one: "That will break my clinical applications." It will, if you turn it on blind. It does not, if you do it the way it is meant to be done, which is to run in audit mode first so the environment tells you exactly what runs before anything is blocked, build the allow rules from that real inventory, and scope exclusions per device group so the pharmacy application's oddball installer is permitted only on the pharmacy machines that actually need it, not fleet-wide. That per-collection discipline is precisely the kind of engineering a solo IT person rarely has time to do from scratch, and it is a standard part of how we operate the HealthNet environment rather than a custom project for each site.

One licensing note that catches a lot of facilities off guard: AppLocker rule enforcement requires Windows Enterprise or Education edition. If your fleet is on Windows Pro, you can author the policies, but they will not be enforced. This is one of several places where edition and licensing quietly determine what security controls are actually available to you, which we walk through in our Enterprise Licensing guide. If nobody at your facility has looked at whether you are licensed for the controls you think you have, that is a thirty-minute conversation worth having.

Control 4: Lock Down Your Own Domain

Picture this.

An email lands in your business office manager's inbox. It is from your CEO. Not a lookalike domain. Not ceo@yourhosptial.org with a typo. The actual, legitimate address, because your domain has no SPF record, no DKIM signing, and no DMARC policy, so anyone on the internet can send mail claiming to be anyone at your organization.

The message says the CEO needs everyone to complete a mandatory survey by end of day. Link included.

How many of your people click?

Most of them. And they should, in a sense. Everything they were trained to check comes back clean. The sender is real. This is the failure mode where awareness training doesn't just fall short, it actively works against you, because you spent three years teaching people to trust the From field.

Internal spoofing combined with a phishing payload is one of the highest-yield attacks against a small organization, and it is one of the cheapest to shut down. Properly configured SPF, DKIM, and DMARC take your own domain off the table as an attack tool.

We built a free email domain health check so you can find out where you stand in about a minute: visuafusion.com/Resources/domain-scanner. No call required, no obligation. Run it on your own domain and see what it says.

We would encourage every rural facility to run it, including the ones who will never be our clients. If it comes back clean, that is a genuinely good day and you should tell whoever configured it that they did right by you. If it doesn't, at least now you know, and you can hand the results to whoever handles your DNS.

What This Adds Up To

Every control above shares one property: it keeps working when the human is wrong.

One caveat worth stating plainly, because we are not in the business of overselling: none of this makes you unbreakable. Layered controls reduce risk, they do not zero it out. What they do is remove the single points of failure, so that one tired person on one bad afternoon is no longer the whole story. And a control you never look at is not really a control, which is why each of these needs to sit under active review rather than being switched on and forgotten. Are the definitions actually updating? Are the patches actually landing? Is anyone reading the report that would tell you they aren't? That review discipline is itself a HIPAA expectation, tied to the ongoing security management process at 45 CFR 164.308(a)(1) and the documentation and periodic review requirements at 45 CFR 164.316.

That is the whole design principle. Ascension's people were trained. TfL's people were trained. Your people are trained. Somebody is still going to have a bad moment on a bad day, and the only question that matters is what the environment does next. Does the bad moment stay a bad moment, or does it become an entire fleet down and every employee standing in line to reset a password?

Rural health care organizations carry the same HIPAA obligations as a 900-bed system with a full-time security team. The regulation does not scale down. The threat does not scale down either, which the SSM Health and Sutter Health charges in this case make plain. What scales down is the staff, the budget, and the hours in the day.

And even with every control above in place, some incident will eventually get through somewhere, which is why the last question is not just how you keep attacks out but how fast you recover when one lands. The Ascension story is, at its core, a downtime story: weeks on paper, procedures paused, ambulances diverted. A tested disaster recovery plan is what decides whether an incident is a rough few days or an existential event, and it is worth having on the shelf before you need it rather than after.

That gap is the entire reason visuaFUSION exists. As a managed IT and Microsoft licensing provider working exclusively with rural health care organizations, we deliver these controls as a cost-shared service across our HealthNet environment, which is how a 25-bed Critical Access Hospital ends up with configuration management, centrally controlled endpoint protection, application control, and AI-driven email defense on a budget that would not cover a single security hire. If the cybersecurity and IT demands laid out in this article are starting to feel like more than one or two people can reasonably carry, that is precisely the problem HealthNet exists to solve.

Leveling the IT Playing Field for Rural Health Care Organizations

Run the domain scanner first. If you want to talk through the rest of it, we offer a no-cost, no-pressure consultation. Reach us at info@visuafusion.com or +1 (308) 708-7490. We will tell you straight what we see, including the parts you are already doing well.


This article is for informational purposes only and does not constitute legal or compliance advice. Covered entities and business associates should consult qualified legal counsel or compliance professionals before making decisions pertaining to HIPAA or IT infrastructure.


Sources

  • Ascension, statements on the May 2024 ransomware incident, as reported by BleepingComputer ("Ascension hacked after employee downloaded malicious file," June 2024) and The HIPAA Journal (breach affecting approximately 5.6 million individuals, December 2024): https://www.bleepingcomputer.com/news/security/ascension-hacked-after-employee-downloaded-malicious-file/
  • Crown Prosecution Service, "Cyberhackers who targeted TfL jailed for more than five years each," July 16, 2026: https://www.cps.gov.uk/national-news/news/cyberhackers-who-targeted-tfl-jailed-more-five-years-each
  • National Crime Agency, "Two sentenced for hacking Transport for London in UK's biggest ever cyber crime case," July 16, 2026: https://www.nationalcrimeagency.gov.uk/news/two-sentenced-for-hacking-transport-for-london-in-uk-s-biggest-ever-cyber-crime-case
  • Heiding, F., et al., "Evaluating Large Language Models' Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects," arXiv: https://arxiv.org/pdf/2412.00586
  • Microsoft Digital Defense Report 2025
  • 45 CFR 164.308, Administrative Safeguards: https://www.ecfr.gov/current/title-45/section-164.308
  • 45 CFR 164.312, Technical Safeguards: https://www.ecfr.gov/current/title-45/section-164.312

✅ Contact us today!