Industry · Rural and critical-access hospitals, FQHCs, rural community health

A clinical IT environment that cannot tolerate downtime, run as one accountable managed service.

For critical-access hospitals, FQHCs, and rural community health systems with 50 to 1,000 staff. Your EHR, imaging, lab, pharmacy, scheduling, and the on-call paging tree must work at 3 a.m. on a holiday weekend: downtime is a patient-safety event. CompleteCare delivers identity, endpoint, a 24/7 managed SOC, HIPAA-aligned governance, and the Microsoft cloud baseline, operated for you so a one-to-three-person IT team is not the constraint. Cyber-insurance ready. Audit-defensible. Month-to-month.

Start a Discovery Sprint See Healthcare AI Readiness →
  • Microsoft Solutions Partner, five designations including Data & AI Verified
  • Microsoft Rural Hospital Resiliency Program partner
  • Rural Health Transformation Program: $50B in 2026–2030 grant funding for security, governance, and AI
  • HIPAA Security Rule and HITECH-aligned by configuration, not by hope
  • 60–75% off Microsoft licensing for qualifying rural hospitals

The moment

The threat curve and the compliance curve are both moving against small hospitals.

You manage HIPAA, 24/7 clinical operations, aging infrastructure, and an IT team of one to three, while the board asks about AI, the cyber-insurance underwriter wants documented controls, and the next OCR, state DOH, or Joint Commission review is on the calendar. The work is real. None of it was sized for the threat your hospital now faces.

Ransomware now targets rural hospitals deliberately

Ransomware against rural hospitals is now measured in cancelled surgeries and diverted ambulances. Operators choose hospitals precisely because clinical disruption forces fast payment. This is a documented, present risk, and it is the reason underwriters tightened the bar.

Cyber-insurance turns on documented controls

Underwriters now require MFA enforcement, EDR coverage, privileged-access management, immutable backups, and demonstrable incident-response procedures, both to renew and to pay claims. Most rural hospitals answer those questions with "we think so." That is no longer underwritable.

HIPAA Security Rule and HITECH require demonstrable safeguards

Section 164.308 (administrative), 164.310 (physical), 164.312 (technical): access controls, audit trails, encryption, risk-management documentation. A one-to-three-person IT team cannot author and maintain that evidence alone. The Microsoft stack delivers most of it, once it is configured.

An IT team never sized for the threat

Recruiting an experienced security analyst into a rural region, let alone enough analysts for 24/7 coverage, is not realistic on the timeline the threat curve is moving. Named senior engineers across identity, endpoint, security, and AI extend your team without the headcount.

Survey and audit windows

OCR, state DOH, HRSA, and Joint Commission reviews are not scheduled at your convenience. They require documented governance, access reviews, audit logs, and BCP/DR. Documentation built before the visit is calmer, and more defensible, than documentation built during it. We produce the evidence as part of the quarterly business review cycle.

Revenue-cycle pressure

Claims denials and manual processes pull working capital out of clinical operations. AI workflows that parse denial reasons and draft appeals recover revenue that is already yours.

The AI question from the board

Trustees want a credible answer on AI strategy, governance, and cyber posture, in language they can act on. A 90-minute Frontier Briefing delivers it. See the Frontier Briefing →

Microsoft 365 is underused

Most rural hospitals pay for Business Premium capabilities they have never enabled: Intune, Defender for Office, Entra Conditional Access, Purview labels. These are the same capabilities the cyber-insurance underwriter and the HIPAA auditor expect to see configured.

Why this matters now

The evidence, stated plainly.

This is not vendor alarm. It is what federal advisories and cyber-insurance underwriters have already put on the record.

Federal advisories have repeatedly named rural and community hospitals as priority ransomware targets for groups including BlackCat, LockBit, and their successors. Operators choose hospitals precisely because clinical disruption forces fast payment.

Source: HHS Health Sector Cybersecurity Coordination Center (HC3) and the Cybersecurity and Infrastructure Security Agency (CISA) advisories.

Cyber-insurance underwriters now require evidence of operational controls, MFA enforcement, EDR coverage, immutable backups, and 24/7 monitoring, before they will renew a policy, and again before they will pay a claim. A gap in any one of these affects premium, limits, or renewal itself.

Source: Current cyber-insurance underwriting requirements for healthcare organizations.

HRSA and CMS programs increasingly require documented technical controls, not just attestations. State health departments have begun their own breach-reporting and resilience reviews. Documentation is now an operating requirement, not a once-a-year exercise.

Source: HRSA and CMS program requirements; state Department of Health resilience reviews.

The choice in front of you

Two paths. Both cost real money. Only one is defensible at audit.

Continue ad hoc

Tools added piece by piece, with no documented baseline

  • Patches and policies depend on one or two people knowing.
  • Incident response is improvised in the moment.
  • Compliance evidence is reconstructed under deadline.
  • Underwriters and surveyors find gaps you did not know existed.

Governed by design

A documented baseline, operated and evidenced continuously

  • CIS IG1 baseline established and reported quarterly.
  • 24/7 SOC with a five-minute first-response SLA on Critical incidents.
  • HIPAA controls documented and continuously evidenced.
  • Tenant hygiene monitored every month across eight categories.
  • Audit and underwriter requests answered from a dashboard.

CompleteCare is the second path, delivered as a managed service so your IT team is not the constraint. The deployment is the documentation: identity, devices, data classification, and audit logging are designed before any clinical workload is enabled, and the evidence is a by-product of running the platform properly.

How we help

Governed by design, delivered as a managed service.

We run the Microsoft stack as a managed program against the HIPAA posture your auditor and your cyber-insurance underwriter actually ask for. For rural hospitals, Foundations, Shield, and Govern lead: the baseline, the 24/7 SOC, and the compliance evidence layer. Intelligence enables documentation, scheduling, and revenue-cycle productivity once those controls are in place.

CompleteCare Foundations

The defensible IT standard for a clinical environment

Microsoft 365 Business Premium operated to CIS Top 18 IG1: identity, devices, email, data protection. The baseline the cyber-insurance application asks for and the HIPAA Security Rule expects. For rural hospitals, Foundations also includes the HIPAA Security Rule control mapping, and a Business Associate Agreement executed before any PHI environment work begins. Delivered as a monthly workstream with weekly tenant monitoring and quarterly business reviews.

From $4,500/month for the typical 50–150 user band

See CompleteCare Foundations →

CompleteCare Govern (HIPAA emphasis)

The HIPAA evidence layer, in Microsoft Purview

Govern is where you stop reconstructing evidence under deadline. Microsoft Purview operated as a HIPAA compliance program: a control catalogue mapped to the HIPAA Security Rule (45 CFR 164.308, 164.310, and 164.312), PHI sensitivity labels, DLP for PHI-bearing channels, Audit Premium trails preserved for the retention window OCR expects, and a quarterly attestation package suitable for HRSA, CMS, state DOH, and underwriter review.

Kickoff $15,000 plus $1,500/month

See CompleteCare Govern →

CompleteCare Shield

The tier rural hospitals cannot do without

24/7 managed Microsoft Sentinel SOC plus Defender XDR for hospitals: the cyber-insurance underwriter's evidence pack and the HIPAA breach-detection answer in one service. A five-minute first response on Critical incidents, with a human analyst on the bridge. Containment runbooks for ransomware, business email compromise, and account takeover. Tabletop exercises twice a year, including a clinical-downtime scenario. Co-managed with your IT team.

Kickoff $30,000 plus $4,000/month plus Sentinel passthrough

See CompleteCare Shield →

Healthcare AI Readiness (Intelligence tier, healthcare-specific)

Clinical documentation, Claims Denial Navigator, governed agents

Microsoft Dragon Copilot for ambient clinical documentation, the Claims Denial Navigator for revenue-cycle workflows, scheduling and patient communication agents: deployed with HIPAA-aligned governance, sensitivity labels propagated to AI outputs, and Microsoft Agent 365 audit trails ready for your compliance team.

See Healthcare AI Readiness →
Diagram showing the CompleteCare stack: Foundations as the universal prerequisite anchor, with six upper tiers (Govern, Intelligence, Shield, Automate, Insight, and Construct) stacked on top.

CompleteCare Foundations is the universal prerequisite. Shield, Govern, and Intelligence all require the identity and device baseline Foundations delivers, and the IG1 baseline is the floor everything else stands on. We will not operate a 24/7 SOC, a Purview compliance program, or governed Copilot on a tenant that is not on Foundations. Not on Microsoft 365 yet, or still running a legacy on-prem mail server? M365 InstantOn is the front door: a fixed-fee Launch that stands up and hardens the Business Premium baseline, then graduates into Foundations. One Master Services Agreement and one BAA govern the relationship; each tier engages under its own scope and price.

Explore the full CompleteCare stack →

The build can be a project; the operation is a service. The initial HIPAA-aligned build (identity, devices, data classification, and audit logging) can be scoped as a fixed-scope Project SOW you own at the end. The 24/7 SOC, continuous monitoring, and ongoing governance are delivered as a managed service, because round-the-clock detection and documented incident response are not a one-time deliverable. Compare the two ways to engage →

HIPAA depth

The HIPAA Security Rule, mapped control by control to the Microsoft platform.

The HIPAA Security Rule organizes its safeguards into three parts: 45 CFR 164.308 administrative safeguards, 164.310 physical safeguards, and 164.312 technical safeguards. CompleteCare maintains a control catalogue mapped to all three, and a Business Associate Agreement is executed before any PHI environment work begins. Cyber-insurance underwriters ask for the same controls plus EDR coverage, immutable backup, and incident-response procedures. The deployment is the documentation: CompleteCare delivers the configuration, the operation, and the evidence in one program.

A three-column reference of HIPAA Security Rule sections 164.308 Administrative Safeguards, 164.310 Physical Safeguards, and 164.312 Technical Safeguards, each listing the Microsoft technologies that satisfy them and the CompleteCare tier that covers each section.

Microsoft Purview

Sensitivity labels mapped to PHI classifications, propagated end-to-end through Microsoft 365 Copilot prompts and outputs (CompleteCare Govern).

Microsoft Entra ID

Conditional Access scoped to PHI-cleared roles and devices, with multi-factor and risk-based sign-in policy (CompleteCare Foundations plus Govern).

Microsoft Defender XDR

24/7 managed detection tuned to hospital environments and medical-device realities (CompleteCare Shield).

Microsoft Sentinel SOC

Five-minute first response on Critical incidents, with a human analyst on the bridge. An OCR-defensible incident timeline if a breach is ever investigated (CompleteCare Shield).

Microsoft Agent 365 audit trails

Every agent interaction with PHI-adjacent data logged in the format your compliance team needs (CompleteCare Intelligence plus Govern).

HIPAA Security Rule control mapping

A control catalogue mapped to 45 CFR 164.308 administrative, 164.310 physical, and 164.312 technical safeguards, with Audit Premium trails preserved for the retention window OCR expects. Refreshed quarterly as part of the QBR cycle.

Business Associate Agreement

A BAA is executed before any PHI environment work begins. Microsoft also signs a BAA covering Microsoft 365 and Azure under the Microsoft Online Services Terms.

Cyber-insurance evidence pack

Generated on request from CloudCapsule and Sentinel: MFA enforcement, EDR coverage, PAM, immutable backup posture, incident-response runbook, table-top exercise log.

Joint Commission readiness

Access reviews, audit logs, and BCP/DR evidence produced as part of the QBR cycle. Documentation ready for your next survey.

When an incident happens

What Shield commits to, in writing.

An IT director should be able to answer the underwriter from a dashboard, not a binder. Shield is the operational answer, 24 hours a day, every day.

  • Five-minute first response on every Critical incident, with a human analyst on the bridge.
  • Containment runbooks for ransomware, business email compromise, and account takeover.
  • Tabletop exercises twice a year, including a clinical-downtime scenario.
  • Coordination with your cyber-insurance breach counsel during a live incident.
  • An OCR-defensible incident timeline, preserved if a breach is ever investigated.
  • A post-incident written report within five business days, in plain language for the board.
A document-styled checklist of the six controls cyber-insurance underwriters now require (MFA, EDR, SOC, incident-response runbook, table-top exercise log, and immutable backup), each showing the Microsoft component that produces the evidence.
A grid showing all 18 CIS Top 18 controls shaded by the Foundations phase that delivers each one, with striped cells indicating controls that require engagement beyond Microsoft 365 Business Premium.

Hospitals and health centers we serve

Rural and critical-access hospitals, FQHCs, and rural community health across the country.

Bonner General Health, Sandpoint, Idaho, critical-access hospital Children's Hospital Los Angeles Coquille Valley Hospital, Oregon, critical-access hospital Valley View Hospital, Glenwood Springs, Colorado agilon health Rural Healthcare Initiative

Outcomes

What good looks like, measurable from day one.

Outcomes hospitals can expect from CompleteCare for rural hospitals
Outcome Target
Microsoft licensing discount 60–75% off via Microsoft Rural Hospital Resiliency Program for qualifying hospitals
Time to HIPAA-aligned baseline Under 90 days on Foundations plus Shield kickoff
24/7 SOC coverage online Five-minute Critical-severity SLA from Shield go-live
Cyber-insurance evidence pack Generated on demand for renewal cycles
Claims Denial Navigator deployment 90 days under Healthcare AI Readiness
HIPAA risk-management documentation Refreshed quarterly as part of the QBR cycle

Funding your roadmap

There are two ways to pay for this. They stack.

Most of the security, governance, and AI work on this page can be funded, and the two programs are separate, complementary sources. One is a federal grant your state distributes; the other is Microsoft’s philanthropic program. We help you map each piece of work to the right one.

Federal grant · distributed by your state

Rural Health Transformation Program

The $50 billion fund from the One Big Beautiful Bill Act. Cybersecurity, IT modernization, and AI are named, allowable uses, distributed through your state on rolling application windows. The prepared hospitals win, so the time to scope a fundable project is now.

See the RHTP funding guide →

Microsoft · philanthropic program

Microsoft Rural Hospital Resiliency Program

60–75% off Microsoft licensing, a free one-year Windows 10 ESU, free cybersecurity assessments, and free AI tools for qualifying rural and critical-access hospitals. We handle eligibility and execution as your CSP. Full detail below.

See the Resiliency Program →

We are not grant writers, but we are the technical input your application needs. For the RHTP grant we give your CFO and grant team a defensible scope, indicative pricing, and a use-of-funds mapping that ties each engagement to the program’s allowable categories, in the language a state application expects. See the full RHTP funding guide →

Microsoft Rural Hospital Resiliency Program

A separate Microsoft program, built specifically for rural and critical-access hospitals.

The Resiliency Program is Microsoft’s philanthropic commitment to all rural health hospitals in the US: free cybersecurity, affordability, and AI tools for qualifying organizations. Centered Networks is a participating partner. As your CSP we handle eligibility, place the discounted licenses, deploy the Windows 10 ESU coverage, and operationalize the assessments and AI tools through the CompleteCare program.

  • 1 in 3

    Rural hospitals are actively participating in the Microsoft Rural Health Resiliency Program.

  • 400+

    Independent CAHs and REHs are saving 60–75% on common Microsoft products.

  • 100+

    Rural hospitals have adopted no- or low-cost AI tools to support their unique needs.

Source: Microsoft Rural Health Resiliency Program, 2025.

Affordable Access

Licensing and Windows 10 support, sized for rural-hospital reality

  • 60–75% off Microsoft licensing for independent critical-access hospitals (CAHs) and Rural Emergency Hospitals (REHs) on common business and security products.
  • Free one-year Windows 10 Extended Security Update for up to 250 devices running 22H2, valid through October 13, 2026, buying time for a phased Windows 11 transition without paying for standard ESU per device.
Talk to us about licensing & ESU →

Capacity & Capability

Free assessments and training to close the gap your IT team can’t close alone

  • Free cybersecurity assessments to enhance posture against the threat actors deliberately targeting rural hospitals.
  • Free Cloud Capability Evaluation. A roadmap to shift IT off the legacy on-prem footprint that drains budgets, slows staff, and steals time from patient care.
  • Free curated cybersecurity and AI training for frontline staff.
  • Free foundational cybersecurity certifications for IT staff.
Schedule a free assessment →

AI & Innovation

RHAIL-developed tools, free to deploy on your existing tenant

  • Claims Denial Navigator. The first AI innovation co-created with healthcare leaders in the Rural Health AI Innovation Lab (RHAIL). EHR-agnostic; helps recover lost revenue and streamline denied Medicare, Medicaid, and commercial claims. Free, runs on SharePoint, Azure, and Power Apps.
  • AI Skills Navigator. Tailored, self-guided AI training paths for staff at every level.
Explore the AI tools →

How participation works. Eligibility requires that the hospital be listed as rural in Microsoft’s reference database (all independent CAHs and REHs qualify; for health-system customers, only the specific hospital listed as rural qualifies), registering for the Resiliency Program directly with Microsoft, and accepting TechSoup as a provider. Centered Networks runs the Microsoft side as your CSP: eligibility check, discounted-license placement, Windows 10 ESU key deployment, and operationalization of the assessments and AI tools through CompleteCare. A Discovery Sprint surfaces which Resiliency Program benefits apply and in what order to land them.

You can also register directly with Microsoft for the Resiliency Program if you’d rather start there, we can become Partner of Record after enrollment and pick up the operational work whenever you’re ready.

The productized path is Rural Resiliency Readiness: a two-week, $5,000 fixed-fee engagement that takes a rural hospital from initial consideration to fully enrolled, with licenses placed, Windows 10 ESU deployed, and a 90-day operational roadmap into CompleteCare. The cleanest single move if the Resiliency Program is the immediate priority.

See Rural Resiliency Readiness →   Or start with a Discovery Sprint

Why Centered Networks

Built for HIPAA-aligned managed services on Microsoft, not generic MSP work.

Horizontal map showing Centered Networks' five verified Microsoft Solutions Partner designations: Modern Work, Security, Infrastructure, Data and AI (featured), and Digital and App Innovation, each connected to the CompleteCare tiers it anchors.
  • Five Microsoft Solutions Partner designations.

    Modern Work, Security, Infrastructure (Azure), Data & AI (Azure), Digital & App Innovation (Azure): verified by Microsoft. The Security designation specifically validates our SOC practice.

  • Microsoft Rural Hospital Resiliency Program partner.

    Direct path to the discounted licensing and free assessments. We handle eligibility and execution as your CSP.

  • HIPAA-aligned by configuration, not by hope.

    A Business Associate Agreement is executed before any PHI environment work begins. Every CompleteCare engagement produces a control catalogue mapped to 45 CFR 164.308, 164.310, and 164.312, refreshed quarterly.

  • 24/7 managed SOC on Microsoft Sentinel.

    The same service the cyber-insurance underwriter and the HIPAA auditor both ask about, delivered as Shield.

  • Co-managed with your IT team.

    Named senior engineers across identity, endpoint, security, and AI: extending an IT team of one to eight, not replacing it.

  • Month-to-month. No twelve-month lock-in.

    The structural commitment is on us. Give 30 days' written notice to stop any tier.

Questions

Frequently asked questions.

Are you HIPAA-compliant as a service provider?

Centered Networks operates under a Business Associate Agreement (BAA) with every hospital client. Microsoft also signs a BAA covering Microsoft 365 and Azure under the Microsoft Online Services Terms. The combination is the standard arrangement for HIPAA-aligned managed services on the Microsoft platform. We provide the BAA template at engagement.

Will Shield satisfy our cyber-insurance underwriter?

In every renewal we have supported, yes. Shield produces the evidence underwriters now expect: MFA enforcement, EDR coverage, 24/7 SOC, IR runbook, table-top exercise log. We generate the evidence pack on demand for renewal cycles. If your underwriter has a control framework we have not seen, we map it during Discovery.

We are a 75-bed critical-access hospital with a three-person IT team. Are we too small?

No. The 50 to 300 user band is well within Foundations plus Shield scope. Most critical-access hospitals fit the 50 to 150 band where Foundations runs about $4,500 per month and Shield kickoff is $30,000 plus $4,000 per month plus Sentinel passthrough. The cyber-insurance savings often pays for a meaningful portion.

Can the Claims Denial Navigator and Dragon Copilot really run alongside HIPAA?

Yes, with Foundations and Govern in place first. We do not deploy clinical AI on a tenant that is not on Foundations plus Govern. The sequence is: Foundations (CIS IG1 baseline), then Govern (PHI labels, DLP, audit), then Healthcare AI Readiness (Dragon Copilot, Claims Denial Navigator, governed agents).

What is the Rural Hospital Resiliency Program?

A Microsoft program for qualifying rural and critical-access hospitals (independent CAHs and REHs). Three pillars: Affordable Access (60–75% off common Microsoft products, plus a free one-year Windows 10 ESU for up to 250 devices through October 13, 2026); Capacity & Capability (free cybersecurity assessments, Cloud Capability Evaluations, curated cyber and AI training for frontline staff, foundational cyber certifications for IT staff); and AI & Innovation (free Claims Denial Navigator from the Rural Health AI Innovation Lab, plus the AI Skills Navigator).

Centered Networks is a participating partner. We handle eligibility, place the discounted licenses, deploy the Windows 10 ESU keys, and operationalize the assessments and AI tools through CompleteCare.

Can the Rural Health Transformation Program (RHTP) pay for this work?

In most cases, yes. RHTP is the $50 billion federal program created by the One Big Beautiful Bill Act, administered by CMS and distributed through the states over fiscal 2026 through 2030. Cybersecurity capability development, significant IT advances, data sharing, and emerging technology are named, allowable uses, and that maps directly to M365 InstantOn, CompleteCare Foundations, Govern, Shield, and Healthcare AI Readiness. We are not grant writers, but we give your CFO and grant team a defensible scope, indicative pricing, and a use-of-funds mapping in the language a state application expects. It is separate from, and stacks with, the Microsoft Rural Hospital Resiliency Program. Read our field note on the program →

Do you co-manage with our internal IT team or replace them?

Co-manage. Named senior engineers across identity, endpoint, security, and AI extend your in-house IT. Your team typically focuses on biomedical-device IT, clinical-app vendor management, and end-user support. We operate the Microsoft stack underneath.

Brand mark stating the No-Lock-In Promise: month-to-month from day one, with no 12-month contract, no auto-renewal, and no termination fee, anchored by a 30-day exit chip.

Start a Discovery Sprint.

Two weeks of structured discovery tailored to a rural hospital. We measure your Microsoft 365 tenant against CIS IG1 and HIPAA-aligned controls, return the five most consequential hygiene findings in plain English, and scope a 30/60/90 path to a HIPAA-aligned baseline with 24/7 SOC. Every quarter without governance is a quarter of evidence you cannot produce later.

Two weeks. No commitment beyond insight. Microsoft Rural Hospital Resiliency Program eligible.

Or get started with Healthcare AI: Explore Healthcare AI Readiness →

This field is required
Valid email required
Required

Thanks, we've got it.

A senior member of our team will reach out within one business day.