Behavioral Health Clinic Finds Success on Its Cybersecurity Journey

For years, the healthcare industry has been a primary target for cyberattacks and tops the list as the most expensive industry for data breaches for the 12th year in a row. The average breach for a healthcare organization costs $7.42 million, according to IBM's Cost of a Data Breach Report 2025. Healthcare organizations, such as large hospital systems and medical centers, are attractive targets because they store protected health information (PHI) including Social Security numbers, birth dates, and medical records that threat actors find financially valuable. Smaller hospitals, federally qualified health centers, and behavioral health clinics are also at risk of cyberattacks due to the large volume of PHI that they collect and store.

When any organization suffers a cyberattack, the impact can involve downtime and data loss. When a healthcare provider gets hit, it can also impact patient access to care, crisis response, clinician access to patient records, clinical workflows, and the trust of the surrounding community — and that's especially impactful for behavioral health clinics serving a vulnerable population.

In a recent webinar, Brian Stone, Chief Revenue Officer at Pondurance, was joined by Gulf Coast Center executives Felicia Jeffrey, CEO, and Dr. Devon Stanley, Chief Information Officer, to discuss cybersecurity as an operational and clinical risk rather than just a technical risk. Felicia and Devon briefly explained how they started their cybersecurity journey, challenges they had and what they did to overcome them, and how they have made progress as the journey continues.

Starting out

Gulf Coast Center is a local mental health authority and a certified community behavioral health clinic that provides accessible, efficient, and quality services to the people in Galveston and Brazoria counties in Texas regardless of their ability to pay. The organization offers services for mental health, substance use, and intellectual and developmental disabilities, as well as community education and disaster recovery support. The organization's niche is its ability to fill gaps in care in the community either by directly providing services or partnering with others in the community that can provide them.

When Felicia and Devon started with Gulf Coast Center, the organization needed a modern system that aligned with its mission. They worked to balance security, compliance, and modernization while allowing the clinicians and staff to effectively do their jobs. They slowly added new tools and technology to the existing system to fill some of the gaps in the environment. As they made changes, they would ask each other, "What keeps you up at night?" The sleepless nights usually involved concerns about how to protect the system from a cyberattack. They knew the organization needed cybersecurity protection, but that knowledge led to other questions such as: How do we afford to do this? And can we afford not to do this? 

Felicia and Devon wanted to partner with a cybersecurity provider that believed in Gulf Coast Center's mission and vision and cared about its success. They wanted a provider that would grow with them, give them a road map to success, and assure that there would not be downtime. For a behavioral health clinic, operational downtime would affect patient access and clinician productivity. The organization also needed a provider that would extend its capabilities, offer 24/7 monitoring and response, and integrate into its workflows.

Felicia and Devon talked with the board of directors about reinvesting the organization's limited resources into cybersecurity to stay modern and maintain a reliable system of care, and the board agreed that cybersecurity should be a priority. With everyone in agreement, Gulf Coast Center partnered with managed detection and response provider Pondurance to tackle its cybersecurity challenges.

Overcoming challenges

Though Felicia and Devon had worked hard to evolve the cybersecurity program with new tools and technologies, there were still gaps. Tools and technology were not fully integrated, visibility was inconsistent across the environment, and the cyber insurance policy required attention. The team needed to work together to overcome these challenges.

• Tools and technology. Modernization doesn't always mean purchasing more tools. For Gulf Coast Center, it also meant getting the maximum value from the technology that they already had. One of the first things the team did was conduct a thorough audit of its technology capabilities to see what tools the team had to work with. The team members were able to consolidate tools, reduce overlap, and identify ways to make improvements to endpoint management, identity protection, and visibility. Fully understanding the technology that they already had helped Gulf Coast Center quickly improve its security posture and build credibility with the board of directors as being responsible stewards of the cybersecurity investment.

• Visibility. Gaps in visibility didn't allow Gulf Coast Center to see what was happening across all endpoints, identities, cloud applications, and remote access devices in real time. With Pondurance's help, Gulf Coast Center was able to reduce the blind spots for a much clearer picture of what's going on in the environment. The organization's improved visibility included centralized monitoring, stronger identity controls, and actionable alerts. Now, Gulf Coast Center can see what assets it has, where the sensitive data is located, who has access to the data, and how fast the team can detect and respond to a threat.

• Cyber insurance. Every cybersecurity program can benefit from having a strong understanding of insurance coverages. The team went through the cyber insurance policy line by line and soon realized that it needed coverage that more closely aligned with the organization's overall strategy. Gulf Coast Center now has a cyber insurance policy that is right for its unique needs, so the team can feel confident about using the coverage if a cyber event occurs.

Making progress

Gulf Coast Center has made great strides in its cybersecurity program. The organization has created a true operational program that integrates its people, processes, technology, strategy, and governance into a comprehensive program. Today, it has greater visibility, stronger monitoring, better alerts, improved incident response, and faster detection abilities — and the organization is not done yet. Felicia and Devon still have items to address on the road map, but they know they don't have to accomplish everything at once. They continue to use a phased approach, starting with the most critical components, to get the organization to its destination. 

Overall, the cybersecurity program has reduced the risk to the organization and lowered the stress level of Gulf Coast Center's internal team. It has allowed for improved strategic alignment where the organization can focus on priorities, operations, and long-term goals. For Gulf Coast Center, cybersecurity is always a concern, but it's no longer a constant worry. The peace of mind from having a modern cybersecurity program and a partner like Pondurance allows the team to sleep well at night and have confidence in the system 24/7. 

Conclusion

Healthcare organizations are attractive targets for cyberattacks, and behavioral health clinics are no exception. But can a smaller healthcare organization afford a cybersecurity program? Can it afford not to have one? Gulf Coast Center did its due diligence to find a way to successfully create a cybersecurity program to stay protected. Learn more about the organization's cybersecurity journey. Watch the webinar.