'Systemic Risk' Stalks Healthcare Sector

Erik Decker, CISO of Intermountain Health, on Critical Supply Chain Considerations Marianne Kolbasuk McGee (HealthInfoSec) • March 12, 2026 11 Minutes

The 2024 ransomware attack on Change Healthcare was a supply-chain earthquake for the U.S. healthcare sector, showcasing how damaging third-party exposure can be, said Erik Decker, CISO of Intermountain Health and co-chair of a federal cyber advisory committee for the healthcare sector.

The attack on UnitedHealth Group's IT services unit Change Healthcare resulted in massive clinical and billing related disruptions for thousands of healthcare organizations for months. It "was systemic risk materialized about a risk we always had but we didn't necessarily have the proper lens to find it," he said in an interview with Information Security Media Group during the HIMSS26 conference in Las Vegas.

"Not every vendor is going to be as critical into the pipeline of ...