As Chicago-based CommonSpirit Health, formed by the merger of Dignity Health and Catholic Health Initiatives in 2019, dealt with a weeks-long fallout from a ransomware attack, health system CIOs and chief information security officers say these large acquisitions can make healthcare systems more vulnerable to security breaches.
A healthcare merger and acquisition is not just adding one organization to another; it could also mean inheriting security flaws and vulnerabilities, said Vasanth Balu, CIO of Greensburg, Pa.-based Excela Health.
"Merger and acquisition activities mix new assets, technologies, processes and organization culture from two or more organizations, and risks are always evolving during the period of change," said Hugo Lai, chief information security officer of Philadelphia-based Temple Health. "It's hard for the involved parties to stay focused on top risks. In addition to that, resources are typically stretched to a limit, and team fatigue can break or create gaps in processes that are typically robust. Above all, healthcare organizations want to maintain quality of care to patients, and IT may be left with little time to plan for the transition. Mergers and acquisitions could just be the beginning of a major cyber event that hits months later."
In addition, large health systems that encompass multiple organizations like CommonSpirit rely on a vast network of providers.
And when health systems expand, it introduces new IT infrastructure to existing infrastructure, which can become a complex task for the IT team to integrate.
This leaves organizations to facilitate business requirements by making changes to things such as firewalls, network switching, routing changes, system integrations, identity access management, domain trust and secure connections, according to Raymond Lowe, senior vice president and CIO of Commerce, Calif.-based AltaMed.
But these IT system changes don't happen overnight and can take some time.
Additionally, the majority of organizations being merged or acquired tend to be smaller organizations with low levels of sophistication, meaning they need to share a lot of data between them.
"Each organization may not have the same strengths related to cybersecurity practices, which can create gaps in overall posture," said Greg Garneau, chief information security officer of Marshfield (Wis.) Clinic Health System. "Larger health systems are acquiring rural critical access and community hospitals that don't have mature cybersecurity practices, which increases the risk to both organizations."
This can lead to situations where a threat or hacker enters into a network from one place, but will gain the ability to impact an entire set of entities within that same network.
Evaluating risks before a merger
"These transactions typically bring a significant amount of cyber risk as fast-tracked transactions miss evaluating intangibles, such as cyber risk, from the business value calculation," said Julian Mihai, chief information security officer of Philadelphia-based Penn Medicine.
Cybersecurity experts told Becker's that before a health system makes a merger or acquisition deal, they need to apply the same critical lens to the cybersecurity risk of a deal, the same way it would apply the financial benefits.
"It's critical to approach these types of opportunities by paying very specific attention to the cybersecurity due diligence activities," said Tom Barnett, chief information and digital officer of Memphis, Tenn.-based Baptist Memorial Health Care.
"One effective strategy is to form partnerships with trusted security firms that can perform these types of assessments to assist you — similar to getting an independent home inspection on a new house purchase. And it is critical that no matter how much intel you gather on the new organization, you must have a methodical and careful plan for transitioning or migrating the new technologies and digital assets into your organization."
Mr. Barnett said health systems must complete a "clean room" methodology and a zero-trust approach, meaning organizations should use new security equipment instead of trying to consolidate each organization onto the same IT platform and systems.
"Better safe than sorry, as there is no room for error," said Mr. Barnett.
Mr. Barnett said things are changing with merger and acquisition deals — the security posture of an organization is increasingly becoming an important acquisition factor for health systems.
"It is probably the second item that is closely examined right after the overall financial health of an organization," said Mr. Barnett. "It has become one of the more discussed aspects of these deals. It's that important now."