The Change Healthcare cyberattack in February 2024 exposed a vulnerability that every behavioral health executive understands but few want to confront: the growing portion of your operations that depends entirely on vendors you cannot directly control. When a single clearinghouse goes down, claims stop flowing. When an EHR vendor gets compromised, patient care documentation becomes inaccessible. When a billing service suffers a breach, your organization faces regulatory consequences for data you never directly handled.
The incident disrupted healthcare operations nationwide, endangered patient access to care, and threatened provider solvency (American Hospital Association, 2024). Every hospital in the country felt the impact, either directly or indirectly (American Hospital Association, 2024). Each vendor represents a potential point of failure. Each one carries risk that ultimately lands on your organization’s doorstep, regardless of where the breach originated.
Third-party risk management offers a framework for governing what you cannot directly control. When implemented properly, TPRM transforms vendor relationships from blind trust arrangements into documented, measured, and continuously monitored partnerships.
Building Risk Intelligence Instead of Risk Anxiety
The HIPAA Security Rule requires regulated entities to perform an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (HHS, 2024). The emphasis belongs on “continuously.” One-time vendor assessments create the illusion of control without the substance.
Effective TPRM programs start with a complete vendor inventory. Not just the obvious technology partners, but every entity that touches protected health information or enables critical business functions. Claims clearinghouses, billing services, EHR vendors, cloud storage providers, email platforms.
A major retailer was breached as a result of a cyberattack on its HVAC vendor system, with stolen credentials from the vendor used to break into the retailer’s systems (HIMSS, 2021). This supply chain attack demonstrates how seemingly low-risk vendors can create significant exposure.
Once you know who has access, you can begin tiering vendors by risk. NIST guidance recommends organizations identify, assess and respond to cybersecurity risks throughout the supply chain at all levels (NIST, 2025). This inventory identifies specific risks to evaluate in third-party relationships and determines acceptable risk levels.
The tiering matters because not every vendor deserves the same scrutiny. Your EHR vendor and your office supply company do not carry equivalent risk profiles. Tiering allows you to allocate assessment resources proportionally.
Contract Controls That Create Real Accountability
Business Associate Agreements under HIPAA provide the legal foundation for vendor accountability. A written contract between a covered entity and a business associate must establish permitted and required uses of protected health information, require appropriate safeguards, and mandate reporting of unauthorized uses or breaches (HHS, 2017).
Most organizations have BAAs in place. Few have good ones. Strong BAAs include cybersecurity requirements that scale with vendor risk levels, specify cyber insurance minimums, define breach notification timelines, establish audit rights, and create clear termination conditions when vendors fail to meet security standards.
The contract provides leverage only if you use it. Regulated entities must implement procedures to regularly review records to track access to electronic protected health information and detect security incidents, and periodically evaluate the effectiveness of security measures (HHS, 2024). Annual reassessments help ensure vendors maintain compliance and adapt to evolving threats.
Business Associate Agreements should include cybersecurity and cyber insurance requirements for vendors and subcontractors, which scale with the level of risk presented by each business associate (American Hospital Association, 2024). This scaling principle matters. Your highest-risk vendors deserve quarterly reviews. Lower-risk vendors might require only annual check-ins.
Tabletop Testing: Where Theory Meets Reality
Governance structures and contract terms mean little if they collapse under pressure. Tabletop exercises test your TPRM program against realistic failure scenarios before you face actual vendor outages.
Effective tabletop exercises simulate specific vendor failures relevant to your operations. What happens when your EHR vendor goes offline for 24 hours? How do you maintain operations if your claims clearinghouse gets ransomwared? Who makes decisions about activating backup systems? Which vendors can you pivot to? What communication protocols activate?
Organizations need to ensure that resiliency is built into utility infrastructure systems to protect patients amid an outage (HealthTech Magazine, 2025). This includes having enough materials on-premises to provide continuity of patient care during extended vendor disruptions.
Not only do health systems need to have a technology, business and clinical continuity plan in place, they need to run simulations on these plans and update their documents based on what they learn (HealthTech Magazine, 2025). Organizations can start by simulating an outage within a single department to test effectiveness.
Tabletop testing reveals gaps in your TPRM program that paperwork never will. You discover which vendors lack adequate backup capabilities. You identify dependencies you did not know existed. You find communication breakdowns before they occur during actual crises.
The Change Healthcare incident demonstrated the cost of inadequate access controls. The attack occurred because a particular server did not have multi-factor authentication enabled (U.S. House Energy and Commerce Committee, 2024). That single security gap enabled access to systems processing 15 billion healthcare transactions annually. Testing frequency should match your risk tolerance. High-risk vendor scenarios deserve quarterly exercises. Annual testing provides baseline preparedness for lower-risk scenarios.
The disruption to care delivery occurs not only when hospitals are attacked directly, but also when mission and life-critical third-party providers to healthcare are attacked (American Hospital Association, 2024). Third-party vendor compromise can create even more wide-ranging disruption than direct attacks on your organization.
You cannot eliminate third-party risk. You can govern it through systematic inventory, risk-based tiering, strong contractual controls, technical access limitations, and regular testing. The alternative is hoping the next Change Healthcare incident hits someone else’s vendor instead of yours.
Hope makes terrible risk management strategy.
Are your vendor relationships governed by documentation or by chance? Xpio Health helps behavioral health organizations build practical third-party risk management programs that protect operations without creating bureaucratic overhead. Contact us to assess your current vendor risk exposure and develop a TPRM framework that matches your organization’s actual risk profile.
#BehavioralHealth #PeopleFirst #XpioHealth #Cybersecurity #RiskManagement #HIPAA #VendorManagement
References
- American Hospital Association. Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Field. AHA. 2024. https://www.aha.org/change-healthcare-cyberattack-underscores-urgent-need-strengthen-cyber-preparedness-individual-health-care-organizations-and
- U.S. Department of Health and Human Services. Summary of the HIPAA Security Rule. HHS.gov. 2024. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- HIMSS. Cybersecurity in Healthcare. HIMSS. 2021. https://www.himss.org/resources/cybersecurity-healthcare
- National Institute of Standards and Technology. NIST Updates Cybersecurity Guidance for Supply Chain Risk Management. NIST. 2025. https://www.nist.gov/news-events/news/2022/05/nist-updates-cybersecurity-guidance-supply-chain-risk-management
- U.S. Department of Health and Human Services. Business Associate Contracts. HHS.gov. 2017. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- American Hospital Association. 4 Keys to Manage Third-Party Cybersecurity Risk. AHA. 2024. https://www.aha.org/aha-center-health-innovation-market-scan/2024-10-22-4-keys-manage-third-party-cybersecurity-risk
- HealthTech Magazine. Key Elements of Business Continuity and Disaster Recovery for Healthcare. HealthTech Magazine. 2025. https://healthtechmagazine.net/article/2025/09/key-elements-business-continuity-and-disaster-recovery-healthcare
- U.S. House Committee on Energy and Commerce. What We Learned: Change Healthcare Cyber Attack. Energy and Commerce. 2024. https://energycommerce.house.gov/posts/what-we-learned-change-healthcare-cyber-attack
