Five M&A Security Issues Healthcare Organizations Must Consider

By Kurt Long, CEO and founder, FairWarning, Inc.
Twitter: @FairWarningLLC
Twitter: @KurtJamesLong

Mergers and acquisitions are on an upward trend in the U.S. healthcare industry. Last year alone, more than 50 hospitals merged. As healthcare organizations join forces, their goal is to create operational synergies that will better serve their patients. However, these worthwhile benefits come with the challenge of additional complexity.

Healthcare organizations already face a complicated cybersecurity landscape. And, as the saying goes, complexity is the enemy of security. This certainly holds true during hospital mergers and acquisitions, which heighten the risk of security incidents and data breaches for these organizations. Below are five M&A security issues to consider during these times of intense change.

1. How to Merge Information Security Policies
The organizations involved must decide, in advance of the M&A activity, how they will align their separate information security policies. The newly merged organization needs to be consistent with its plans to ensure transparency and continuity, not haphazardly use policies from the previously separate entities. The merged company has three options moving forward: 1) Pick one group of policies from the previously independent companies and disregard the rest; 2) Write policies from scratch; or 3) Consolidate policies. Once systems are aligned, gaps must be assessed to develop a new information security strategy that enables the hospital to better protect its operations and patients going forward.

2. Creating a New incident Response Plan
There’s no one person or team responsible for everything; job roles and duties need to be negotiated as two or more IT teams are merging. The organization must map out—before an incident occurs—a coordinated incident response to avoid any finger pointing or blame trading. The organization should determine how it integrates monitoring and incident response capabilities and tools. It is essential that the organization respond swiftly and in a methodical manner to information security incidents.

3. Sorting Out Identity and Access Management
The new healthcare entity must be able to succinctly answer this question: How will employee access and user identities be defined? Oftentimes, when a merger occurs, a large influx of users enters the network. Many of these users also become “unknown,” allowing them to perform activities without monitoring and sanctioning, putting your organization at security risk. Users should be identified and given consistent employee access for their role. Some healthcare organizations are using solutions that automate the correlation of detailed user information from human resources and application logs to create accurate and centralized user profiles. This offers enhanced security by providing the clearest picture possible of users and their behaviors within an organization.

The “principle of least privilege” should be applied when identity is established, wherein users are given only the permissions necessary to perform their job.

4. Locating Cloud Data
Electronic protected health information (ePHI) and other kinds of sensitive data are already scattered across healthcare organizations’ cloud applications and information systems in huge quantities. Merging two organizations increases the volume of confidential data and the footprint of that data dispersed over the network. The newly merged organization needs to know where that confidential data exists and how it is being protected. From that assessment, the organization can then standardize its practices to protect that data. Healthcare organizations can use next-generation compliance and information security platforms to protect patient data stored in electronic health records, the cloud and big data sets, as required by HIPAA.

5. Access Standards for Third Parties
Fifty-six percent of businesses reported a third-party data breach, according to a 2017 Ponemon report, Data Risk in the Third-Party Ecosystem. Non-employees such as vendors and contractors may have substantial access to the organization’s information assets. As with employees, the newly merged company must decide upon consistent access standards for its contractors and how those standards will be enforced. Furthermore, with stronger user identities, third-party employees can be better tracked and monitored.

Prioritize Data Security
Healthcare IT is a complex web of networks, technologies and regulations to begin with. Throw in a merger or acquisition, and things get even more interesting. There are so many other M&A details to attend to that IT—and, therefore, data security—can get lost in the shuffle. Cybersecurity gaps are created by the differences in each organization’s procedures, policies, teams and technologies – gaps that cybercriminals are looking to exploit. In addition, employees unfamiliar with new technology or procedures can cause breaches themselves or leave the door wide open for malicious outsiders.

These chinks in the IT armor must be closed immediately so that patient and organizational data remain secure. This requires organizations to think and act proactively regarding data protection throughout the entire M&A process. Use the recommendations above to create a new organization that successfully secures its data and the trust of those it cares for.