Skip to main content

Contributed Content: 4 Ways Forward in The Aftermath of The Change Healthcare Attack

Analysis  |  By Chris Van Gorder  
   April 02, 2024

The Change Healthcare attack has rocked the healthcare industry, and as CEO of a health system that has come out on the other side of the same storm, the path forward requires a recalibration of responsibilities and expectations.

Editor’s note: Chris Van Gorder is president and CEO of Scripps Health located in San Diego, CA.

The recent cybersecurity discourse, particularly in the wake of the Change Healthcare cyberattack, has unveiled a stark disconnect between the expectations placed on healthcare providers and the reality of our cybersecurity challenges.

Legislators have been quick to point fingers, with suggestions to hold healthcare CEOs and organizations directly accountable for breaches. This rhetoric grossly oversimplifies and misrepresents the issue at hand. And it blames the victims, rather than the international terrorists that attack them.

The federal government has an important role to play in providing specific requirements for healthcare cybersecurity. This includes creating accountability for meeting those requirements and shielding compliant organizations from liability. The requirements outlined in the HIPAA security rule could be updated to meet this need. 

Are we to be held accountable when these requirements are not aligned with current threats?

And are healthcare providers to be held solely responsible for defending against sophisticated international cybercriminals?

What’s more, actual healthcare providers—hospitals and clinics—are being lumped together with insurers, device manufacturers and pharmaceutical companies in political conversation. That is unrealistic and dangerous.  

The other entities do not provide direct patient care, nor do they face the same operational realities as health care providers. Their profit margins often allow for more substantial investments in cybersecurity defenses—a choice not afforded to many healthcare providers, particularly not-for-profit, safety net, and rural hospitals operating on razor-thin margins.

And the potential consequences of cyberattacks against healthcare providers are much more dire than those against other healthcare organizations. Of course, hospitals and clinics feel the enormous strain of not getting paid for treating patients, as is the case with the Change breach. But, when healthcare providers are attacked, patients’ lives are literally at risk. Attackers know providers will do anything to protect patients, which is why hospitals make good targets for these immoral, callous criminal organizations to whom human life is cheap in comparison to the potential payoff.

Our experience at Scripps Health with a 2021 cyberattack starkly illustrates the relentless and unpredictable nature of these threats. Despite our preparedness and investments, we were still breached, suffering significant operational disruptions and $112.7 million in lost revenue and incremental expense.

This incident underscores the hard truth that while in the realm of cybersecurity complacency is the enemy, even the most diligent cannot always withstand the evolving tactics of cyber adversaries.

Four ways forward

The path forward requires a recalibration of responsibilities and expectations.

First, the federal government must spearhead the development of updated, realistic cybersecurity requirements tailored to the current threat environment and diverse landscape of healthcare providers.

Second, it must assume its role in protecting the nation’s health care infrastructure against cyber threats, providing the necessary resources and support to those on the front lines.

Third, funding must be allocated to enable healthcare providers to fortify their defenses adequately. It’s unreasonable and unfair to expect hospitals to shoulder the financial burden of national security threats.

Lastly, we must shield healthcare organizations which comply with requirements from punitive actions and opportunistic litigation. Such protections are crucial to ensuring that hospitals can focus on their primary mission—patient care—without the constant threat of financial ruin due to circumstances beyond their control.

Cybersecurity in healthcare is a complex, multifaceted challenge that demands a nuanced, collaborative approach. It’s time for a frank reassessment of our expectations and support structures. We must make a concerted effort to ensure the security and resilience of our health care infrastructure.

Lives depend on it.

Editor's note: Care to share your view? HealthLeaders accepts original thought leadership articles from healthcare industry leaders in active executive roles at payer and provider organizations. These may include case studies, research, and guest editorials. We neither accept payment nor offer compensation for contributed content. Send questions and submissions to content director Amanda Norris at

Chris Van Gorder is the President and CEO of Scripps Health located in San Diego, CA.


The cybersecurity discourse in healthcare reveals a disconnect between expectations and reality, with healthcare providers facing blame for breaches caused by sophisticated international cybercriminals.

Healthcare providers, particularly hospitals, face dire consequences from cyberattacks, with patients' lives at risk.

The path forward requires updated, realistic cybersecurity requirements tailored to the current threat environment and diverse landscape of healthcare providers.

Get the latest on healthcare leadership in your inbox.