Editor’s note: Damian Chung is a business information security officer and chief security officer of healthcare at Netskope.
Economic uncertainty often stimulates industry consolidation — and in fact, analysts at both Bain and PwC are predicting that mergers and acquisitions in the healthcare industry will pick up in 2023.
But beyond financial considerations, these transactions have many other motivating benefits. As the American Hospital Association notes, M&A enables hospitals to expand service offerings, broaden networks and access to specialists, and improve quality of care to better serve patients.
But one often overlooked aspect of an M&A or partnership is the increased potential for security risks — a factor that is being investigated in at least one recent healthcare patient data breach incident. While speed and secrecy are typically essential to these sorts of deals, health organizations need to include a security expert on the core team from the very beginning — not just to analyze risks, but also to facilitate the complexities of the process itself.
Securing the ‘due diligence’ stage
Business development groups should always involve at least one person from the security team among the trusted entities early in the transaction process. Far too often, a security expert isn’t invited to participate during the first stages of a merger or partnership in order to keep a potential transaction quiet. But since this is exactly when sensitive information starts being shared between organizations, security needs to be there.
To begin with, the acquiring company should perform a cybersecurity due diligence review to evaluate all aspects of a target organization’s security — including policies, procedures, account management, regulatory compliance, applications, application program interfaces and cloud/infrastructure security. All the potential costs and the risks of the transaction may not be evident on the surface. Significant security investments may need to be made in order to bring the target organization up to the same level of the acquiring company.
Another critical area to explore is looking for unknown breaches and compliance issues. Acquiring companies have suffered significant losses by discovering a target’s past data breaches only after the deal is complete. As such, they can inherit significant fines and an overall reduction in deal value. Early detection can save your organization from unwittingly taking on the negative press and costs of a pre-existing security problem.
The due diligence stage is also when sensitive data (like financials) will start moving back and forth. A security expert on the core team can help ensure that communications are protected and that any delicate information is safely shared.
Protecting the planning phase
Before making any public announcement about an agreement, a security expert needs to start analyzing risks and potential exposures on both sides. As soon as word gets out about a merger or partnership, attackers may start trying to take advantage of the fluidity of the environments.
Another risk factor that needs to be tracked is that employees on both sides of the transaction may start feeling job insecurity due to potential redundancy or relocation requirements. Some people may explore other jobs and in preparation for their exit, they may start downloading work files or research they’ve done to their own private storage and collaboration tools.
While the intent may not be malicious, these kinds of insider activities may present a risk to the organization. Security should be monitoring for high-risk user behaviors and be able to apply controls that prevent sensitive or proprietary content from being exfiltrated.
Ensuring a seamless integration
Preparing for “Day One” of a merger or partnership includes many security considerations, starting with visibility. A perfect example would be a major hospital system branching out into a community through the acquisition of a smaller clinic. The hospital’s security team needs to see where all the data is flowing in that clinic in order to structure the overall security posture — before they join forces. Because once you’re connected to another organization, you’re also connected to any undiscovered threats or vulnerabilities present in their systems.
Unfortunately, some important security processes have to wait until Day One because they can’t be done prior to the deal closing. For instance, security often can't start running deep, detailed scans until the acquirer officially owns the target organization. Some of the essential questions that will need to be immediately answered may include:
- Does security have the ability to limit access to the target organization’s existing cloud services and applications to prevent data leaks?
- Can you identify and manage third-party integrations and detect any problematic activities being done by users in the target organization?
- Can you provide visibility and data protection for any new SD-WAN connections to branches or remote offices?
- Because there might be sensitive data in cloud environments that have been left unmanaged, does security have the ability to comprehensively assess the target organization’s threat monitoring capabilities—including granular movement of data to/from the target’s cloud solutions?
Longer term integration considerations should enable safe and efficient business processes across the newly combined organization. There will undoubtedly be a great deal of duplication — instances where the two organizations have been using different tools or systems to perform similar functions. To evaluate everything that’s currently in place, security needs the ability to identify all the different cloud applications that each business group is using, the number of users accessing them, the sensitivity of the data involved and the data movement that each system requires.
After compiling this comprehensive inventory, security can then analyze the total cost of ownership for protecting applications and data across the combined organization, which can then be referenced to help eliminate redundancies and inefficiencies.
Security should also continue to monitor for changes in user behavior that indicate increased security risk. M&As that involve different geographic locations, cultures, security controls and/or operating models carry increased risk for insider threats.
Accelerating the benefits of integration
Acquisitions, joint ventures and other forms of healthcare partnerships all benefit from having security involved from the earliest stages. They can help protect sensitive communications, control information sharing, establish visibility of the target organization’s infrastructure and identify potential threats that would devalue the transaction.
But beyond shielding the acquirer from risks, a security expert can also help realize the benefits of bringing these two organizations together sooner rather than later. Whether it serves financial necessity, operational efficiency or expanded care offerings, this integration should make both companies more than the sum of their parts. The sooner that can happen, the better for everyone — staff, clinicians, and patients.