Health Sector Coordinating Council Aiming to Identify Healthcare Workflow Chokepoints
As cyber threats against healthcare systems escalate, industry leaders are working to identify the weak points that could cripple patient care and hospital operations. Speaking at the HIMSS 2025 Global Conference, Greg Garcia, Executive Director of the Health Sector Coordinating Council Cybersecurity Working Group, outlined an initiative aimed at mapping the vulnerabilities of interconnected healthcare systems.
“The healthcare industry is deeply interdependent,” Garcia said. “Every service—from payments to prescriptions to electronic health records—relies on a vast digital infrastructure. Identifying cyber chokepoints is a necessary step in safeguarding the industry.”
Recent cyberattacks, including the Change Healthcare breach, have demonstrated the fragility of this ecosystem. The attack disrupted prior authorizations, prescription processing, and hospital payments, effectively paralyzing operations in multiple health systems. “A third of the healthcare system was effectively offline,” Garcia noted. “That’s a systemic failure we cannot afford to repeat.”
Getting SMART
The Health Sector Coordinating Council is spearheading an initiative called the Strategic Mapping of Active Risk and Threats (SMART), designed to break down healthcare workflows and pinpoint digital vulnerabilities. By tracking critical dependencies—such as third-party vendors, IT systems, and cloud-based services—the initiative aims to equip hospital executives with a clear risk assessment framework.
To mitigate cyber threats, healthcare executives must first understand their own operational dependencies. “When you walk through a process map, you quickly realize how interconnected everything is,” Garcia said. “From patient intake to insurance payments, a single disruption can cascade through the system.”
The initiative is focused on identifying systemically important entities, a concept borrowed from the financial sector. Organizations deemed “too big to fail” may be required to implement stricter cybersecurity measures. However, as Garcia pointed out, no single entity is immune. “It’s not just about major corporations. A small vendor supporting multiple health systems can be a single point of failure.”
Over the past year, cyberattacks on healthcare institutions have reached alarming levels. Ransomware, supply chain vulnerabilities, and phishing campaigns have all contributed to system outages that disrupt patient care. Attackers are exploiting weaknesses in third-party vendors, cloud computing platforms, and legacy IT infrastructure.
The Change Healthcare cyberattack served as a wake-up call for many health system leaders. The breach, which halted payment processing for numerous hospitals, highlighted the risks associated with vendor reliance. “A cyberattack on one entity shouldn’t cripple an entire sector,” Garcia said. “We must build resiliency into the system.”
Read the full article at HealthSystemCIO.com. Click Here
Learn more about:
The Three Phases of SMART
- Mapping Risk
- Assigning Risk Levels
- Implementing Risk Mitigation Strategies
Immediate steps Healthcare executives can take to improve cyber resilience
