Why healthcare mergers, acquisitions can uncover new cybersecurity risks

Hospitals are uniquely susceptible to security risks when different corporate and IT cultures come together.
By Bill Siwicki
03:09 PM
unsecured medical devices

The mergers and acquisitions marketplace has been surging in recent years, with global activity reaching some of the highest volumes in history. By many accounts, the trend is poised to continue in healthcare. 

Although there are a number of issues that healthcare provider organizations must be aware of when evaluating the efficacy of a merger or an acquisition, in recent years cybersecurity has jumped to the forefront.

[Also: Cybersecurity is top concern in IoT deployments]

“Healthcare provider organizations need to be aware that they are uniquely susceptible to cybersecurity risks in conjunction with a transaction because of the nature of the data they handle,” said Marc Leone, a producer at Graham Company, one of the Mid-Atlantic’s largest insurance brokers, and a mergers and acquisitions risk expert. 

Elevated risks

Hospitals and health systems naturally handle a range of data types, including protected health information, names, addresses, credit card and social security numbers, all of which make attractive target for hackers and other cybercriminals.

These risks can be further elevated during acquisitions since the likelihood of a breach increases as the total cyber footprint expands, Leone said.

[Also: Cybersecurity firm finds '90% crud' rule rings true among 100 billion DNS records]

Additionally, in a transaction, the target company’s IT vulnerabilities ultimately become the acquiring company’s vulnerabilities. Thus, if a target organization has sub-standard safeguards in place, the acquiring company is at a greater risk of being breached.

“When one enterprise is in the process of acquiring another, the acquired organization could already have unknowingly been breached, setting the acquiring company up for a significant exposure once the target company is acquired,” Leone said. 

What to keep a close eye on

As with so many aspects of a merger, hospital leaders must conduct due diligence. That begins with a detailed evaluation of the company being acquired to understand any all vulnerabilities. 

[Also: Unsecured medical devices: Healthcare's new warning call]

The due diligence is not just about cybersecurity, either. Infosec is often is viewed solely as a technology issue, but weaknesses are often people- and process-based. M&As almost always mean that many new employees will be joining an organization and incidents are prone to come from email phishing schemes. 

“It is imperative that the due diligence process evaluate the target company’s processes and ensure that all new employees receive proper cybersecurity training,” Leone said. “It is also important to understand that during and following an acquisition, there is a certain level of disorganization that inevitably exists that could lead to vulnerabilities since management’s attention will invariably be focused elsewhere.”

When a hospital is buying another one, it is crucial for the acquiring organization to take steps to evaluate existing cybersecurity systems of the target organization as a key component of the due diligence process. 

Executives should also work improve the acquiring organization’s cybersecurity as any transaction brings on increased risks when combining the entities’ technology systems and processes, Leone said.

And healthcare organizations must ensure all cyberthreats are properly analyzed and adequate insurance coverage is in place, should a costly breach occur. Appropriate coverage not only provides necessary protection when a breach occurs but can also provide front-end resources to lessen exposure and protect against a breach occurring in the first place, he said.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com