Attackers know a 25-bed hospital holds the same protected health information as a large system but rarely has a dedicated security team, a 24/7 SOC, or a big security budget. A rural hospital also cannot tolerate downtime, which makes it more likely to feel pressure to pay. We close that gap with layered defenses, staff phishing training, and immutable, tested backups so an incident does not force a payout.