The CISO's Checklist for Healthcare Acquisition

[EDITORS NOTE] The following interview with CI's EVP of Professional Services, Fred Langston, CISSP, CCSK, discusses topics he and CISO Mike Hamilton, CISSP, will present at our upcoming webinar with Healthcare IT News on Tuesday, 10/23/18, at 11am PT. You can register for the webinar here. We look forward to seeing you there!

 

Any longtime observer of the healthcare industry has to be somewhat taken aback by the speed and breadth of the current healthcare provider industry consolidation; 2017 alone had 115 mergers and acquisitions announced. These trends have continued into 2018, with more existing clinical practices and regional hospitals being absorbed into larger hospital, clinical, and laboratory super-entities. All too often, these large acquirers avoid discussing the state of security and data protection at these smaller practices, hospitals, and diagnostic centers.

The CISO in the healthcare environment has an important role to play during a major acquisition—whether they are the target for acquisition, or the acquirer, both face major consequences if security is not given the attention it warrants during the transition.

CI Security’s VP, Fred Langston, knows this issue first-hand as an InfoSec consultant with experience supporting a variety of healthcare acquisitions. We sat down with him to talk about our upcoming HIMSS webinar, The CISO’s Checklist for Healthcare Acquisition, which will review critical steps for the CISO and InfoSec pro within the healthcare M&A process.

 

A recent report from the PwC Health Research Institute notes data privacy, cybersecurity, and securing IoT as the top cybersecurity issues for the healthcare industry in 2018. Why is information security, especially for merger or acquisitions, a critical topic for healthcare organizations?

With the large volumes of mergers and acquisitions (M&A), there are healthcare systems that immediately join IT networks and possibly degrade the security of the more secure facility. This increases the possibility of a records breach and other malicious activity.

 

Consulting firm West Monroe Partners found in a May 2018 study that 49% of buyers reported dissatisfaction with the cyber due diligence process in acquistions. What are some of the consequences when merging healthcare systems do not address information security?

Increased risk to the business strategy of the M&A, and increased risk of breach are the top consequences of under-managing the integration of the security programs. These increased risks are significant—should a breach occur after the merger, the newly integrated organization’s outcomes couldn’t be more daunting.  Fines for compromised patient records, lost revenue from the damage to the company’s reputation, and increased oversight from regulatory bodies are all outcomes they would have to face in subsequent years post-breach. These bad outcomes are avoidable.

 

When should organizations start reviewing information security during the M&A process?

As soon as the acquiring organization determines interest in the target for acquisition. At that point, the due diligence should involve a thorough risk assessment. Once the acquisition is confirmed, InfoSec leaders can get a step ahead by using that risk assessment to build and implement the security program’s integration strategy up to and through the acquisition. Many more tips for both the acquirer and acquired will be shared during the upcoming webinar on 10/23 to guide organizations through an acquisition.

 

Are there any highlights you can share as a preview for the webinar?

A few things… I will be joined by my colleague and fellow CI Founder, Michael Hamilton, former CISO of Seattle. Mike and I will discuss steps for long term InfoSec success in expanding healthcare networks following an acquisition. Registrants will also get a complementary deep-dive guide to assist security planning throughout the M&A process.

I think any InfoSec pro working in a healthcare organization will get a lot out of the materials presented. Also, folks should bring their questions for our interactive Q&A session at the end. Register here, and we'll look forward to seeing you there.

Fred Langston

Fred Langston CISSP, CCSK

Executive VP of Professional Services