When attackers breached Change Healthcare’s remote access systems in February 2024, they triggered $6.3 billion in claim disruptions within three weeks. Behavioral health clinics that never contracted with Change Healthcare watched their revenue dry up anyway. Your vendor’s vulnerability became your liquidity crisis. That’s the new operational reality.
Change Healthcare handles claims for a huge portion of the healthcare economy. When attackers took down their systems in February 2024, the disruption reached small behavioral health clinics in rural towns, many of whom never signed a direct contract with Change Healthcare. (American Hospital Association, 2024) reported that 74% of hospitals experienced direct patient care impact, and 94% faced financial consequences. That’s the new math of risk.
Security now works like herd immunity. A weak link anywhere creates consequences everywhere. Your security posture is no longer about what your organization directly controls. It’s about what you tolerate in your vendor ecosystem, your supply chain, and your operational environment.
The scale of this breach has prompted federal response, fresh scrutiny, and a clear warning to executives. HHS’s new Cybersecurity Performance Goals (CPGs) put stakes in the ground for what basic cyber hygiene should look like across healthcare organizations. These guidelines aren’t mandatory yet. But ignoring them puts your operations, your financial health, and your patients at risk. The CPGs are written in the language of encouragement, but they whisper the grammar of future compliance.
What the CPGs Are and Why They Matter Now
The HHS CPGs outline a roadmap of reasonable cybersecurity practices, tailored to healthcare. They’re divided into “essential” and “enhanced” goals, emphasizing real-world threats, not theoretical ones. (HHS, 2024) explains that essential goals include multi-factor authentication, network segmentation, data recovery planning, and endpoint detection. These are foundational controls most behavioral health organizations still struggle to operationalize. Enhanced goals push further, addressing asset inventory management, third-party vulnerability disclosure, centralized log collection, and penetration testing protocols.
These goals come directly out of the national Cybersecurity Strategy and Healthcare Sector Coordinating Council. They’re designed for implementation, not inspiration. And while they’re voluntary now, regulators and payers are watching. (Health Sector Coordinating Council, 2024) emphasizes that focused investment and accountability are imperative to protect against the rising epidemic of cyberattacks on the sector.
The CPGs directly address the attack vectors that have proven most effective against healthcare organizations. They map to existing frameworks like the NIST Cybersecurity Framework and Health Industry Cybersecurity Practices, creating a structured path from baseline security to advanced cyber resilience. This alignment means organizations already working toward HIPAA compliance or SOC 2 certification can leverage existing work while closing critical gaps.
When a breach happens, executive leaders don’t just face downtime. They face reputational damage, liability exposure, and long-term disruption to contracting and credentialing. The Change Healthcare attack compromised protected health information for approximately 100 million Americans, according to (HHS Office for Civil Rights, 2024). Whether you’re billing Medicaid, negotiating managed care contracts, or expanding services, cyber readiness directly impacts your capacity to lead and grow.
Consider the practical implications. State Medicaid programs increasingly require security attestations. Managed care organizations ask pointed questions about your security posture during contracting. Malpractice carriers adjust premiums based on cyber risk profiles. The calculus has shifted. What was once a technical concern now sits squarely in the boardroom, affecting every strategic decision you make.
The Path Forward Requires Executive Ownership
The behavioral health sector often works with thin margins, legacy infrastructure, and overworked IT support. But the cost of inaction keeps rising. (U.S. House Energy and Commerce Committee, 2024) revealed during congressional testimony that the Change Healthcare breach occurred because a remote access server lacked multi-factor authentication, an industry standard mandated by HIPAA. The attackers didn’t need sophisticated tools or zero-day exploits. They leveraged stolen credentials against a system without basic protections.
You don’t need a team of engineers to get started. You need ownership, visibility, and a roadmap. Start with a gap assessment against the CPGs. Identify low-lift wins and high-risk gaps. Consider third-party virtual CISO services to fill leadership voids without hiring full-time. The assessment process itself creates value, forcing honest conversations about risk tolerance, resource allocation, and operational dependencies.
The Change Healthcare event made clear that someone else’s IT problem can become your business disruption overnight. The attack caused the value of claims submitted to drop $6.3 billion in just the first three weeks, according to analysis cited by the (American Hospital Association, 2024). Behavioral health providers with cash reserves for two weeks found themselves in crisis at week three. Some practices faced insolvency. Others cut staff hours or delayed payroll. These cascading failures stemmed from dependency on a single point of failure they didn’t even know existed in their operational chain.
Cybersecurity lives upstream from strategy. Every executive decision relies on digital trust, even if no one says so in the meeting. When you discuss opening a satellite office, you’re implicitly trusting your VPN infrastructure. When you implement telehealth, you’re betting on secure video platforms and encrypted data transmission. When you adopt a new EHR module, you’re depending on vendor patch management and incident response capabilities. These aren’t IT decisions. They’re enterprise risk decisions that belong in executive discussions.
The practical starting points matter more than the destination. Begin with credential hygiene. Enforce multi-factor authentication on all systems with external access. Implement a formal offboarding process that revokes access within 24 hours. Require unique logins for every user and prohibit shared accounts. These steps cost little but create immediate value by eliminating the most common attack vectors.
Next, address your vendor ecosystem. Inventory every third party with access to your network or patient data. Request current security certifications and incident response plans. Insert cybersecurity requirements into new contracts and renewal negotiations. This creates accountability and positions you to act quickly when a vendor experiences a breach. Remember, the Change Healthcare attack didn’t just impact UnitedHealth Group. It cascaded through every organization connected to their platform.
Build a basic incident response plan and test it. Run a tabletop exercise where your leadership team walks through a ransomware scenario. Who makes the decision to pay or not pay? How do you communicate with patients, staff, and regulators? Where are your offline backups and how quickly can you restore operations? These conversations surface gaps in authority, communication, and technical capability long before an actual crisis forces improvisation under pressure.
Finally, recognize that perfect security doesn’t exist and isn’t the goal. The goal is resilient security that can detect intrusions quickly, contain damage effectively, and restore operations reliably. The CPGs provide a framework for this resilience, prioritizing controls that address real-world attack patterns rather than theoretical vulnerabilities. Organizations that implement even the essential goals see measurable improvements in their security posture and operational stability.
You’ve likely identified gaps while reading this. The question isn’t whether to address them, but how to start without derailing operations or exhausting your team. Xpio Health partners with behavioral health executives to operationalize cybersecurity goals, from gap assessments and policy development to full vCISO services. We help you turn guidance into guardrails while working within the constraints of tight margins and lean IT teams.
Contact Xpio Health to discuss your specific environment and build a roadmap that makes sense for your organization.
#BehavioralHealth #Cybersecurity #Leadership #PeopleFirst #XpioHealth
References
- American Hospital Association. Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Field. AHA. 2024. https://www.aha.org/change-healthcare-cyberattack-underscores-urgent-need-strengthen-cyber-preparedness-individual-health-care-organizations-and
- U.S. Department of Health and Human Services. Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals. HHS. 2024. https://hhscyber.hhs.gov/performance-goals.html
- Health Sector Coordinating Council. Statement about HHS Cyber Performance Goals. HSCC. 2024. https://healthsectorcouncil.org/statement-about-hhs-cyber-performance-goals/
- U.S. Department of Health and Human Services Office for Civil Rights. Change Healthcare Cybersecurity Incident Frequently Asked Questions. HHS.gov. 2024. https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
- U.S. House Energy and Commerce Committee. What We Learned: Change Healthcare Cyber Attack. House Energy and Commerce. 2024. https://energycommerce.house.gov/posts/what-we-learned-change-healthcare-cyber-attack
