We are proud to be named a West Coast Regional Leader for 2024

3 steps to strengthen health care cybersecurity strategies

ARTICLE | May 30, 2024

Authored by RSM US LLP

Earlier this year, Change Healthcare, among the world’s largest health care clearinghouses for medical claims, experienced a devastating cybersecurity incident. The event shut down the organization’s electronic payment platforms and pharmacy network services. The impact continues to be far-reaching for any health care system that relied on Change Healthcare’s services. Critical processes at health care organizations came to a halt, hampering both providers and patients.

According to an American Hospital Association survey, 94% of hospitals are experiencing a financial impact from the Change Healthcare cyberattack, with more than half describing it as “significant or serious.”

“Many medical practices and health systems continue to experience major revenue struggles that threaten their overall financial viability not only due to the revenue cycle disruption, but also because of the impact on basic financial operations such as processing payroll,” says Greg Vetter, an RSM principal and health care cyber risk services leader.

Operational and communications challenges are many when a breach involves sensitive patient information, he says. Vetter recommends organizations shore up their cyber flanks and consider the following:

Conduct a robust review of business continuity and disaster recovery planning. This work enables an organization to sustain essential operations during a major disruption to systems, processes, facilities and more. An organizational business impact analysis, often the foundation of recovery planning, should include essential vendors and other third parties supporting critical business activities—a measure that would have helped organizations identify the Change Healthcare risk and provided the opportunity to respond more effectively.

Take inventory of all third parties deemed critical to the organization. The process for identifying high-risk vendors is nuanced and must be thoughtfully executed, as risk is not just driven by vendor spend or proximity to the largest applications or processes. The inventory should document the services provided and business processes the vendor supports, as well as the type of data stored, processed or transmitted on the organization’s behalf. In addition, organizations should consider their extended vendor ecosystems that include fourth parties, along with the vendors and service providers third parties rely on. Due diligence should be conducted regularly during the vendor relationship.

Carefully evaluate the overall cyber program. Cyber incidents can originate with a vendor and other third parties, but the greatest risk to an organization remains the failure of their internal cyber protections. Organizations should regularly assess their program to ensure it is meeting the requirements of a rapidly changing digital world.

"Many medical practices and health systems continue to experience major revenue struggles that threaten their overall financial viability."

Greg Vetter, RSM Principal

Let's Talk!

Call us at +1 213.873.1700, email us at or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved.

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.

​Vasquez + Company LLP has over 50 years of experience in performing audit, tax, accounting, and consulting services for all types of governmental entities, nonprofit organizations, private companies, and publicly traded companies. We are the largest minority-controlled accounting firm in the United States and the only one to have global operations, and certified as MBE with the Supplier Clearinghouse for the Utility Supplier Diversity Program of the California Public Utilities Commission.

For more information on how Vasquez can assist you, please email or call +1.213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: