The CISO's Checklist for Healthcare Acquisition- Webinar

 

[VIDEO] Watch "The CISO's Checklist for Healthcare Acquisition" webinar or jump to your preferred topic below. The webinar features Fred Langston CISSP CCSK and Mike Hamilton CISSP.

Trends in Cybersecurity in Healthcare

Trends in Healthcare Cybersecurity: Mergers & Acquisitions

Cybersecurity Due Diligence: Issues and Potential Outcomes

Steps to Take When the Acquisition is in Consideration

Steps to Take Once the Acquisition is Confirmed

Steps to Take Post Acquisition

Q&A

 

View the full transcription of the webinar.

HIMSS Moderator [00:01]:

Hi, welcome. Thank you for attending today's HIMSS learning center webinar, CISO checklist for healthcare acquisition sponsored by CI Security. My name is Jessica Davis senior editor for healthcare IT news and I'll be your moderator today. The CISO in the healthcare environment has important role to play during a major acquisition whether they are the target for acquisition or the acquirer. Both face major consequences if information security is overlooked or mishandled during the transition. When security professionals on each side of a table are involved early and often, the security risks involved with this healthcare act position can be significantly reduced and the probability of a smooth transition and long-term success can be maximized. With that, I'll hand it over to Mike to begin the presentation. Thank you.

Mike Hamilton [00:49]

All right. Thank you, Jessica, and hello everyone. Thank you for attending. So, first of all, here's who's going to be talking to you today. My name is Mike Hamilton. My history is mostly in government. Government does include the health sector. I have been a policy advisor for the government in Washington State. I was the chief of information security for the City of Seattle for about eight years. Prior to that, I was the managing consultant for Verisign as global security consulting and have been in and out of every sector you can imagine. Fred, you want to introduce yourself?

Fred Langston [01:30]

Sure. Fred Langston here. EVP of professional services at CI Security. Mike didn't allude to the fact that we go back almost close to 30 years together in information security. In the mid 90s notably when I was at IBM, I was on a working group that helped draft some of the proposed HIPAA Security language, so very involved in HIPAA since its inception when it was a baby. Around the turn of the century before HIMSS actually had a separate security session as a part of a group called the risk management alliance, I was one of the leaders of the security sessions that used to break out and meet across the street from the Orlando Convention Center. In the late part of 2010 decade, I was also on the high-trust alternate controls committee. So, long history in healthcare joining Mike Hamilton here at CI Security about five years ago, and I'd love to talk to you today.

Mike Hamilton [02:33]

Okay. Yeah. I don't tell people about me and you going back 30 years because that was pretty … the whole hand rolling firewalls and selling to defense companies was crazier than I like to remember. Moving on. So, here's what we're going to talk about today. The CISOs checklist for healthcare acquisition. So, we're going to do this in three parts. First, I think what we want to do is talk about some trends in healthcare and specifically around IT security. Some of you may know that CI Security puts out a daily curated list of news articles. We call it a News Blast, and as such, I get to go through lots of stuff every day and trends emerge. So, we'll talk about some of those trends as it applies to healthcare information security.

Mike Hamilton [03:22]

Let's talk about the acquisitions that are going on. There's a lot of consolidation going on in the space right now. Bigger covered entities are scarfing up clinics and things like that, partially because it's the only way to survive in a time when there is a lot of uncertainty around insurance, healthcare costs are spiraling out of control, there’s some efficiencies to be gained with size etc., etc., so we'll talk a little bit about that. Then we'll talk about to the extent that you are entering into an acquisition. You're either an acquiring or an acquired company. There’re probably some things that you should think about in order to get the process to come out with the outcomes that you want. So, there's our agenda. So, the first part of that is we're going to talk about some trends in healthcare. I'm going to go ahead and take this part of the presentation since I am the one that goes through hundreds of news articles every day to pick out the ones that we can send out to our constituency.

Mike Hamilton [04:24]

So, some of these things I'm sure that many of you on the call are already familiar with. I think there's some interesting factoids that you can tease out of this. So, what I see when I see that there is 52% of respondents say that a lack of expertise is the barrier to handling information security incidents, I would repackage that and say that the availability of qualified security practitioners for the great bulk of the health sector is very low. There's a lot of competition for these resources right now. They are horribly expensive, and they are difficult to retain. They know that they can change jobs very frequently and increase their salary.

Mike Hamilton [05:15]

So, right now, it's a real seller's market and it looks to be that way for about the next five years. I think that's really the root problem. The way the question was asked generates a response of lack of expertise. I think it's just a lack of availability of qualified practitioners. Again, 62% talk about inadequate levels of training. So, what they're talking about here is user training. Again, it makes this a people problem the lack of availability of qualified practitioners is a people problem. Users that are in adequately trained and in some cases cannot be trained. That is also a people problem. The trend for a breached record in the health sector to be about twice what it's worth in other sectors I think is interesting as well. We have done a little bit of work digging into this number. There is a tail for the costs that you can expect when there is an unauthorized disclosure of protected records. In 50 states now, there are data breach reporting statutes and so any organization that loses protected information has got to comply with that.

Mike Hamilton [06:34]

It's compounded for the health sector because of the secondary and some might say the primary influence of HIPAA and the requirement to do a public report, when there's been a sufficiently large unauthorized disclosure. That tail period can include the loss of customer base. One of the folks on our health care advisory board, very specifically this person is on the payer side, very specifically said, “We had a breach of records and we were able to measure a customer flight.” So, I think a lot of things go into this $408 number not the least of which are fines an additional regulatory oversight but that tail period.

Mike Hamilton [07:18]

Another trend, and this is greater than the health sector, but I'll try to package this the right way. There is an increasing trend towards the expansion of regulatory purview to encompass third parties. So, I have these logos here the Department of Defense. The Department of Defense says if you are a contractor, service provider, anything to a department events, to the defense industrial base, you have to comply with the requirements in the Defense Federal Acquisition Requirement Supplement, that DFARS, and you have to assess against NIST 800-171 which is a standard of practice just like the multiple others. The ISO standard, the information security forum standard of practice, etc., etc., NIST 800-171 is just like that.

Mike Hamilton [08:09]

DoD says got to be able to show your papers or you don't work for the DoD. I think everyone on this call is familiar with Health and Human Services and the Office of Civil Rights, the auditing arm of HHS. So, HHS has come out and said through the rulemaking process … this is not legislated. This is through rulemaking, that if you are a service provider, a vendor to a covered entity, you can be audited against HIPAA. So, that's us. We do a lot of work with health sector organizations and we have to be prepared to survive and audit against HIPAA. So, again, reaching out and encompassing third parties and the supply chain and vendor service providers, manufacturers in some cases. The FFIEC is the audit arm for the finance sector. They have said that in the multiple examinations that go on with a banking industry every year, you now must not only demonstrate to the examiners that you are managing a third-party security program but demonstrate its effectiveness.

Mike Hamilton [09:19]

How you would demonstrate its effectiveness is left up to individual banks to figure out, but this is the time that we are in now. Everybody is looking at everybody else and saying, “Show me your papers or we can't do business.” So, yes, this is impacting providers to the healthcare industry in probably a good way, but when we talk about an acquisition, that is a much higher bar to meet than when we are talking about you're going to sell syringes to me or something like that. So, the M&A has been going on fairly vigorously. So, when 116 Health Ware Acquisitions were announced in 2017, I'm fairly certain that this year is on track to beat that number, but what's more interesting is how the buyers felt that they had picked up an organization that immediately threatened them.

Mike Hamilton [10:19]

They are dissatisfied with the standard of care applied to IT security in the company that they acquired, and for some reason, they didn't find that out a priori. Here are 58% found a problem themselves at an acquired company. So, as soon as we started to bolt our companies together, we started to see that there were security problems already extant. So, these trends, these three trends, the dissatisfaction with having acquired companies whose security is rather dubious, the expanding purview of regulatory agencies to pull in third parties and the healthcare industry itself having a much greater impact when there is an unauthorized disclosure of records, all these are trends that I think are germane to the topic that we will discuss here in a moment.

Mike Hamilton [11:21]

So, here's our first polling question. Have you worked at a healthcare organization that has gone through an acquisition or clinic roll- up recently? Not meaning have you recently worked there, have you worked at a company that has either been an acquirer or an acquired company going very far back? So, we're going give you a couple of minutes to go ahead and submit, before we move on. I think that we're already getting pretty good numbers rolling in. From what I can tell, it's reflected in the responses that yeah M&A has been going on fairly vigorously and I see that nobody is not sure which is probably a good sign I didn't know if my company was acquired or not.

Fred Langston [12:18]

It's interesting that the majority seem to have experienced an acquisition or roll up recently.

Mike Hamilton [12:24]

Yeah. I mean error bars and all, it's probably 50/50, but even 50% is a pretty big number. Okay. So, we have about 60 respondents there. We're going to give you just a couple of more seconds before we move on. I believe that all these results will be made available to everyone after the presentation. I think just even in itself this is an interesting number. Okay. So, I think we're about where we are going to get with the poll results. I'm going to go and moved to the next cybersecurity polling results. So, let's look at polling results right there. So, yeah, it ended up about 50/50. That is, I think fairly interesting. I think I would want to understand how many organizations are represented here with multiple respondents. The numbers may be a little skewed there, but I think the take home there is about 50/50, so that's interesting result.

Mike Hamilton [13:31]

Okay. So, let's talk about the due diligence that needs to occur to avoid some of the outcomes that we talked about and then we will talk about a little more. Fred, I'm going to go ahead and let you take this one here.

Fred Langston [13:45]

You bet. So, we're pretty familiar with the potential outcomes although we'll elaborate on those, but the issues involved in M&A and acquiring some other entity are numerous. The first thing a lot of people have an instinct to do is let's connect those networks up and start allowing them to start trading healthcare data and we're going to start integrating these systems which is probably the first thing you don't want to do, because until you have a very good idea of what controls exist, what potential threats may already be existing in their network, because you don't really know yet, you need to have a very stepwise and well-thought-out plan on how you're eventually going to connect these networks and the activities that you should be conducting prior to connecting them and at the point of when you connect those two systems or networks.

Fred Langston [14:47]

So, that's one of the first things that people want to do, but you have to fight that instinct and really work methodically through the process to make sure you're not as Mike mentioned ruining the security level of a well secured network by attaching it to a very poorly secured network. You're only as good as your weakest link. So, when you connect those networks, you become the lowest common denominator for security. Probably not what you want to do.

Fred Langston [15:13]

One of the things that also happens especially at an organization about to be acquired is they're going to deprioritize cybersecurity to some degree. It depends kind of on the team and how much they're devoted to their craft and their jobs, but they're probably not going to be having new budget money being thrown at cybersecurity. That money is going to go towards things that are going to increase the bottom line, that are going to increase the valuation of the organization to be acquired.

Fred Langston [15:42]

So, cybersecurity which is always purely a cost center is going to get short shrift. The other part of it is you may have a staff at the company to be acquired that is somewhat demoralized. They don't know what their futures are going to hold. They don't know if they're even going to have a job after this merger or acquisition activity. So, they may be losing some of the motivations they have to do the types of jobs they should be doing around information security. Of course, you have the problem of two completely independent security programs. This can be as disparate as one organization, maybe in the larger organization, firewalls are not handled at all by the cybersecurity, the risk management organizations. That's a network function. They purely take the recommendations that maybe come from the advisory security organization and all that work is done in a network group.

Fred Langston [16:41]

At a smaller organization, it's probably just the opposite. It's probably the security team that is making changes to the firewall rules. So, you have a people problem, when you pull these organizations together. I have to find maybe work for certain people, maybe some people won't have a position in my new organization because the firewall people that we're managing that are now part of my network team. Maybe there's some moving people around in positions, but you have to think about what the two organizations entail. You have to decide which organizations model you're going to follow because it is possible that a smaller organization or one that's close to equal size in a merger scenario may have better security than the larger organization. So, you have to really think about how you're going to pull these systems together, pull the programs together and connect the security technologies you have like monitoring technologies. How are you going to synthesize something that makes sense when you're connecting to organizations that potentially have differing monitoring technologies, different skill sets amongst the teams. There's a lot to think about when you're just going to marry these programs together and how to do it and come out at the back end with a better security program and organization overall.

Fred Langston [18:04]

We also have broad definitions on what people set up when they're doing role based access for different systems. One EMR system and especially if it's a different vendor, you may have vastly different concepts of what particular roles are and what you should be providing access from people at a former position in an acquired company and are they being integrated in the new company. It may not be a one-to-one translation of user rights and permissions and privileges from what the previous system they were working on to the next one. So, you may have to relook at how you're going to bring those new people into your current role-based access systems and access the EMR systems and all those health records containing systems.

Fred Langston [18:53]

We need a thing about governance. Who controls what, when we move forward here. They should be decided probably beforehand. You should probably think about, who are the senior people at the organization being acquired? Are they relevant to my organization? Do I need to leverage that to increase the size of my particular organization and maybe repurpose these people? You really need to start defining who controls what, who makes the decisions for the overall organization and who those people are going to be in the newly formed new world after acquisition. You also are going to have a bunch of things happening at each organization. What you may find is a big initiative that we take in at the to be acquired company. Maybe they're deciding they're going to get into the source space which is security orchestration and response. So, it's a set of technologies that may be in your bigger organization you already have a different set of technologies, maybe you have a different approach and you're not going to go with that that type of technology, so you may have big sunk costs. You may have a bunch of technology integration efforts. You need to find out is this whole set of technologies that the company to be acquired is purchased, are they just going to go away?

Fred Langston [20:16]

You need to map all this into your strategy and you need to provide it of course so that people that are considering the acquisition to account for these things in the process. Then one of the last things you really need to be concerned with is when these mergers start happening right before and during and when they first become a one company, you are a ripe target for attack. The hackers read the papers just like anybody else. They know this is a time of confusion, a time of change and they also know that there's a whole set of people in one organization that are going to be receiving emails from potentially a different domain and a different email system. They may not know who those people are. So, it's very ripe field for the taking for people to implement business email compromised attacks, where they spoof, or they act as if there's so many from an internal organization and then ask to have an account number change for something that gets paid and you're sending money to Russians somewhere. So, there's all these things we need to think about. That's not everything. Then on the other side, we have our potential outcomes. I think everybody kind of knows the bad things that can happen. I think Mike you've got some commentary on that, so I'll hand it over to you for the rest of the slide.

Mike Hamilton [21:39]

Yeah, I think everybody is familiar with the sales tactic of fear, uncertainty and doubt. Here's all the bad things that can happen to you. Okay, we all know those bad things happen. I will say though that I talked to not an insignificant number of elected officials, and when I do, I make sure to package things in such a way that they understand what I'm talking about. The way that I talk about outcomes and yes all of these are outcomes that result from bad events let's call them. I can classify them in three ways. Number one is the unauthorized disclosure of protected records, the dreaded data breach. The thing we think is the most important worst thing ever to happen in the world and I assure you it is not. The second one is theft and extortion. Fred touched on that a little bit with business email compromise. I would say that in this bubbly time when there's an acquisition going on and there are people that are watching for these acquisitions to happen just because they know the confusion is something that they can leverage. You'll just start getting invoices from companies you never heard of. Because of all this confusion, the likelihood is a lot of them are going to get paid. So, theft and extortion is really going to be a top of list, but the one really that trumps everything is disruption of critical services.

Mike Hamilton [23:11]

I make a joke about it when I do my public speaking but it's not a joke. If I get another letter from a credit card company, I'm just going to throw it in the trash because 57 different times my credit is being monitored for free, and I don't really care. I've been desensitized to that whole thing about record. There are no records left to steal. Why should I freak out about that? If my kid stops breathing and I call a hospital call center and it doesn't work, that's going to be the worst day I ever have in my life. So, disruption of critical services is really the outcome that we want to avoid. Forget the regulatory impact and all that other stuff, you want to continue to operate.

Mike Hamilton [23:50]

Okay. With that little bit of freaking out, let's do another poll. Hey. So, does your organization have a methodology for assessing the security of acquisition targets? I think given that about 50% of the folks on the call have gone through either an acquisition from the position of an acquirer or they acquired, I think that there may be a little insight into this. It's probably less than 50% of the respondents that know a lot about it, unless everybody on the call is intimately involved in information security of acquisitions. Let's see what we get though.

Fred Langston [24:41]

It's looking about what I think we'd expect Mike. Looks about it.

Mike Hamilton [24:44]

Yeah.

Fred Langston [24:44]

Maybe a third of them.

Mike Hamilton [24:49]

Yeah, a little less than a third.

Fred Langston [24:52]

Why don't we hit the results slide and move forward when we take over-

Mike Hamilton [24:56]

Okay. Let’s go ahead and look at these results. Okay. So, that's what we have. I think there's a few more results coming in, but it looks like it's going to stay right around here. So, no is our biggest bucket. Okay. You want to go ahead and take it Fred?

Fred Langston [25:09]

Sure. So, what we're going to talk about now is, what are the things that you want to consider if A you're an organization being acquired or B if you are the organization that is being acquired? All right. So, if you're the acquiring organization, one of the things I like to advise people to do is think about A your audit and compliance standpoint and footprint as it exists in your current organization and start asking the organization that you hope to acquire to provide certain audit artifacts, because that will teach you an enormous amount about the maturity of the organization you're going to acquire.

Fred Langston [25:54]

So, A you're going to be able to say to yourself, “Okay, when we bring this organization on, am I going to have difficulty maintaining my HIPAA compliance, maybe my SSAE18, SOC2 type two, whatever sorts of things you're being audited against or measured against, is this going to significantly impact my efforts to maintain my level of compliance? Moreover, you're going to be able to find out if you say, “Hey, I want you to produce, just like an auditor would, I'd like you to produce that change control record for this change that happened three months ago.” Then you can look and say, “How long is it going to take for them to produce this?”

Fred Langston [26:33]

If they're a well-oiled machine, you would expect them within an hour maybe or even shorter to be able to produce that artifact. If you wait a week and you still need to call up and say, “Hey, I still need that artifact.” That is telling you an enormous amount about the maturity of that organization and the level of effort you're going to need to put in to bring that organization up to a level where you can pass an audit, or you can prove that you're compliant with your HIPAA requirements. So, this is a great test. It's a great way to understand how mature they are, and it's a great way to understand how much it's going to be an impact on your organization to get the entire new entity up to compliance and up to speed.

Fred Langston [27:20]

I think we all know that we should be doing a risk assessment ahead of time, but what are the types of things we really want to consider when we're doing this risk assessment? First off, we want to make sure that we're providing information to the people making the decision whether to acquire this other company. Is this a good idea? Does it make good dollars and cents? Is it adding to the risk at an unacceptable level? These are the things that should be significant considerations in the acquisition process. When you're thinking about these two organizations and you're starting to begin to think about, “Okay, looks like something may happen. Let's start thinking about what it would take to bring these together.” Think of these as totally untrusted network. So, you have your own trusted network that you've been managing.

Fred Langston [28:09]

Now, you have to consider this as a completely untrusted network. That means, when you're starting to think of integrating, you need to double check everything. You may need to implement entirely new security controls from the ground up. Really the most prudent approach is to think of I'm going to rip it and replace everything they have and think of what it will cost me to get it to a level of confidence that they're just like the security we have today. That usually is best looking at what's the worst-case scenario. That worst case scenario is I'm going to start over from scratch. So, that should be a bounding number. When you're reporting this information up to the people considering the acquisition, this is very valuable because you can say, “Well, it could cost as much as this to get them there.”

Fred Langston [28:58]

Of course, you're going to try to put a finer point on that and get a little closer but don't neglect saying, “If I have to do everything, this is what it may cost.” So, that's your upper boundary and then something below that is your lower boundary based on your risk analysis, risk assessment activities. You're going to want to definitely know and prioritize all your main areas of risk, how you will address them and who's that important to.

Fred Langston [29:23]

Well, it's important to you, because if you don't present this to the people on the board that are going to approve the acquisition, to the people in the acquisition team, you are laying the runway for you to ask for a significant amount of budget that most likely you're going to need to ensure that you have a decent level of security in the organization. So, you're setting the groundwork, laying the groundwork for people to understand, “Yes, we can do it but there are significant cost. Here's what those costs are. Let's plan for them. If we're going forward with this acquisition, you should be known ahead of time.”

Fred Langston [29:59]

The other thing we're going to want to do is we're going to really plan ahead, and the first thing we're going to want to do when we are going to start bringing these together we want to increase the monitoring, the detection and the ability to respond to incidents. So, again, we're probably going to want to have a little above and beyond in our plan to make sure that as we're getting ready to bring these together, we're starting to get visibility to be acquired organization as soon as the day that we're going to bring these together. We should have a plan ahead of time to get these controls in place right away, long before we connect the two organizations, because this is our visibility. This is how we're going to know, “Wow, we think we know a lot but we actually get in some visibility on day one of the of the acquisition. Now we're going to have some hard data on what's really going on in this organization.” Worst case scenario, it's possible that they may be compromised and you're going to start on day one with a compromised entity. Mike, you want to talk about it from the acquired organizations perspective?

Mike Hamilton [31:06]

Yeah, I will emulate someone who's at an acquired organization. I do want to say that the last point you made is I think critically important in even hiring a managed security provider to come in and deploy some telemetry into the network you're requiring right away. It can help you uncover something that could end up being very bad if somebody knows and there's lots of ways to find this out, that a larger organization is acquiring a smaller organization. It is a good assumption that the smaller organization does not have mature controls in place. So, if I want to be in that bigger organization that has their own SOC and their own team and their own set of controls, that's very mature. I'm going to start with that small organization, and it's just an easy way in. This has happened a lot.

Mike Hamilton [32:01]

So, that monitoring out of the chute is critically important, but if I am the acquired organization, I want to start putting lipstick on this pig to the extent possible right away. I'm not insinuating that every acquired organization is a pig, but let's face it. When there is an acquisition like this, everybody's fighting for their jobs. So, one of the things that's going to be affected is morale. So, as a leader, helping to help manage that morale is a great idea as well as starting to look at the artifacts and the documentation and the processes that you're going to need to submit to the acquiring organization. Remember, we're just considering this right now, but it's time to start getting ready. If your organization is considering being acquired, eventually they're going to be acquired.

Mike Hamilton [32:53]

So, to Fred's point, compliance documentation. What are the recent audits look like? Do you have a corrective action plan? Remember, going back to my point about this expanding purview of the regulators, your third parties are in scope. So, have you been managing the security of your third parties and can you prove that through attestation or some other evaluation methodology that you have employed? You want to talk about your own staff and how qualified they are and what your organizational model looks like. If you split it up into security risk and compliance, well that's one way to do it.

Mike Hamilton [33:33]

Maybe that aligns with the acquiring organization and maybe it doesn't, but describing how you layout your security programs who does what and even if IT does security. Help desk has a role. Network management has a role. Desktop has a role. Got to lay all that out. Again, with the vendors, the contracts with the vendors so that the acquiring organization knows who they are entering into a relationship with. Maybe they've already experienced and rejected some of those vendors. So, it's important for them to know that.

Mike Hamilton [34:11]

This is an important one. We'll go back to Yahoo and the fact that they experienced multiple security events in the middle of an acquisition and that drove down their price. There's a little bit of an exposure here, because if you create, if you are the acquiring organization and you can somehow create the perception of a security problem, that can affect that sale price, but just on the up-and-up, now is the time to really get your game up, get your radar up and make sure that you don't have an event that affects that acquisition price. That is extremely important and we've got some case history that shows that is a particularly vulnerable time.

Mike Hamilton [34:55]

So, again, just maintain a high level of security operations, make sure that you're doing as exemplary a job as you can and that you are able to transmit to document to substantiate the fact that you have a security program that is clicking on all cylinders. So, when we get to acquisition confirmed, it's time to really pull back the kimono, but when we're just thinking about it, there's a set of things to engage in, so that you paint the best picture possible for the acquiring organization.

Fred Langston [35:29]

Thank you, Mike. So, we're to the point and yep the acquisition is going to happen. So, what's the first thing I'm going to do? I'm going to update my incident response plan. I'm going to go and find out exactly what capabilities the organization we're acquiring has. I'm going to start building a plan that addresses everything I need to so I can integrate the function into the new organization. That can be maybe taking their instant response plan without marrying it to yours. Maybe it's breaking and building new teams if there's a whole bunch of things that can go into this, but the one thing I do know is that this is a time of high risk. This is a time when I'm an active target. First thing, I want to make sure I've got that plan updated and it covers both organizations and it allows me to respond in an effective manner no matter where these attacks or threats are coming from. I certainly want to do a whole series of technical testing.

Fred Langston [36:33]

Some of the things to keep in mind here, you know it's a program. Our technical testing should be part of a vulnerability management program. So, we're probably integrating more than just the testing, we're integrating the whole vulnerability management program. We want to begin to meld the program so a testing in one organization looks like so to speak or give us the same results as testing in my organization. So, that could be aligning methodologies. It could be aligning penetration testing vendors. It can be aligning the types of testing that we're doing. So, for example, I may be an all on-prem organization

Fred Langston [37:12]

I may be acquiring a set of clinics that their EMR is in the cloud, and maybe all their health record systems are software as a service model. This is something I may be totally unfamiliar with. So, I need to have a whole new sets of methodologies potentially new skill sets on my team to begin testing of these technologies I've ever tested before. So, there's a whole set of things you need to think about on how we're going to integrate your vulnerability management, all your testing, adding potentially new testing methodologies and new skill sets to my team to ensure I have the ability to do these in a consistent manner so the results I get in one organization are going to look like the results I'm getting it in my organization. So, again, big integration. This sounds like a small thing. Hey, we’re just going to do a pen test but it's bigger than that.

Fred Langston [38:02]

Another thing that a lot of people don't think about, everybody pretty much takes credit cards, even in the healthcare industry just about everybody takes credit cards. If you're bringing in an organization that has what they call a cardholder data environment where they're actually storing cards, that's a whole another set pen test with its own methodology you may not even be familiar with when you're bringing that organization in. So, a lot to consider when you're bringing the vulnerability management programs together.

Fred Langston [38:33]

As I'd mention, build in the cost of building a whole new program at the acquired facilities. So often, it's, you know what, you've got good technology over here. It's working but, you know what, it's not going to integrate with what our choices were for security technology and we just got to get rid of that technology. Something that we normally are loathe to do but it may be the best thing in the long term. So, even if something works well, you may be taking it out of your program. So, that's definitely something to consider. I'm going to give that piece of advice, that consider this as building an entirely new program and it's a benefit when you find ways to skinny that down and not have to spend as much money. Mike, what's it like on the acquired organization side?

Mike Hamilton [39:23]

Oh man, I hope we get to keep our jobs. We got to start pulling back the kimono now and really starting to support what we do with some documentation. I'm going to go back briefly to the vendor contract. So, we had to disclose the vendors we're doing business with, and now we're going to have to come up with those contracts and help the acquiring organization design that roadmap that says, “Well, we have to keep this contract for two more years. Is this something we want to cancel now and take the hit or is this something we can write out and deal with later?” Those timings are going to start to be important.

Mike Hamilton [40:02]

This is a business event going on fundamentally, and really managing the spend around, this is going to be top of mind of the executives in both businesses, but from my perspective, we're being acquired. I want to make sure that we demonstrate a lot of value and preserve whatever possibility we have of continuing to work in these roles now for the larger organization. So, we want to start to align with the culture of that larger organization because we may be being acquired by somebody who has a very different idea about that employee environment and what it's like to work here and their mission statement etc. It's going to be important to start adopting that and even being a chameleon in becoming part of that new organization. That starts with culture and process.

Mike Hamilton [40:54]

Again, the inventory of key assets and technologies and when I say assets and technologies primarily security technologies when we're talking about preventive and detective controls. That goes back to vendors and contracts but your firewalls, your intrusion prevention system, your antivirus or your endpoint security, URL filtering, email security. How is all that done? That inventory of those technologies just from a security perspective but then from a larger view, we need to talk about where those key assets are. Where are the databases, where is that cardholder data environment to the extent that you're taking credit cards? How is that segmented off? Start to show things like logical network diagrams that articulate where these pots of gold are in your environment. These are going to be extremely important to pass over to the new company along with the controls that you have built around them so that we can together evaluate whether or not those controls are adequate.

Mike Hamilton [42:04]

Fred talked a little bit about security initiatives too. So, security orchestration, that's an initiative and frankly from what I've read, it takes a lot of people to get that stuff to work. I could see how a company could come in and view an initiative going into soar as producing an outcome that is exactly the opposite of the one that's intended, because of the need to throw the people at it. So, disclosing those security initiatives and the potential budgets that go with them but also educating the managements on how you're doing those things. Not only your initiative, but the existing programmatics.

Mike Hamilton [42:52]

What is your routine compliance activity checklist look like? Are you doing quarterly firewall rules review? Are you doing annual penetration testing? Are you doing quarterly vulnerability scanning? Are you doing annual security awareness training and policy review? Things like that. So, the status of your security programs and I would say very important to the status of your security programs is how you handle monitoring and incident response. Everybody has preventive controls in place to decrease the likelihood of a bad outcome. I talked about records disclosure, theft and extortion and disruption of critical services.

Mike Hamilton [43:33]

So, avoiding those outcomes, everybody's got preventive controls in place to reduce the likelihood of one of those, but a security event today is fairly foreseeable. So, the impact of that event. How programmatically are you monitoring, detecting, investigating, responding and recovering to minimize the impact of those events? That's going to be very important to demonstrate to the acquiring organization. All of this goes to promoting the value of your team. Ensuring that you are being viewed, the perception created is that you're handling security for this organization and it you are going to be required because of your tribal knowledge and because the initiatives that are in place that we're going to continue, but you're doing a good job with this.

Mike Hamilton [44:26]

So, everything that you can do to demonstrate the fact that you're doing a good job here in line with this acquisition process, and I'll say one more thing. Nothing goes as far in demonstrating that got a handle on security than being able to show data. If you can show data especially success metrics like minimizing the residence time or the dwell time of malware in the environment, minimizing the cost per incidence, reducing time to incident close, pushing incident response on to lowest cost resources like help desk, those are all very important metrics to be able to hold up, to show that acquiring organization that you're not just reacting to things that happen. You've fought your way through this and you're really trying to pull the levers that affect the business side of security. Fred?

Fred Langston [45:23]

Okay. So, now we're post acquisition. The acquisitions happen. Good news for Mike, we decided to keep him on. He's still got a job.

Fred Langston [45:31]

We love what he’s done. The first things was the IR plan but we also have a time to integrate and communicate the new policies, right? Maybe we have to marry them together again, maybe we throw one out and we train the acquired organization on our current policies, but certainly that has to happen almost immediately. Nobody can know what to do. Nobody's know what the policy is until somebody's communicated it to them. So, some form of security awareness training that at least elucidates the new policies the acquired organization needs to work under, that has to happen. So, people kind of forget. It's just like bringing on … if it's a 200-person organization, you have 200 new employees to train. So, you've got to consider it that way. We have to have continuous training on staff best practices. There are certain things that you're going to want to train the new staff on immediately because those are threats that you've been continuously dealing with.

Fred Langston [46:33]

Your staff hopefully has become better equipped to handle those things, but this new set of people, maybe you acquired a clinic in your 10 hospital chain. This is a whole new world for those people, right? They haven't been working in your environment which is corporate and has maybe a half a dozen people working in the security group. They're a small clinic and it’s the IT guy that was doing all this. So, you have to consider what are these training requirements for this organization based on where they come from, what the culture was, what the size and character of the organization was, how do I close that gap to bring them up to the level that I have my staff currently working at. I mentioned the Ir plan. Well, it's critically important as well to do a tabletop exercise for that incident response plan.

Fred Langston [47:27]

We've seen people make kind of a mistake when they … “Okay, we're going to run the tabletop exercise just like we've done before.” They run it with a scenario where it's an attack against the bigger organization, the one that did the acquisition. Well, that doesn't teach A the people you're bringing on anything about learning how to work with your team and work it as an incident response capacity together, and it also doesn't allow your existing team to understand what it's like to get things done and to react to an incident in the acquired organization. So, the strong recommendation here is make sure your scenarios, when you do your tabletop exercise, are focused on a breach of the acquired organization. That's how you get your batter rhythm. That's how you train both your existing staff on something new.

Fred Langston [48:17]

That's how you integrate the staff at the acquired organization into your incident response process. So, it's not just run the same tabletop exercise maybe you ran last year, it's write some new scenarios, make sure they cross the boundaries and they exercise your team to understand what these things they need to do. Prior to integrating the network, you want to get monitoring points in there as soon as possible. Mike and I have hit on this many times. It's critically important that we have monitoring points throughout and watch those and understand what's happening on their network before we ever start connecting those together. Of course, we need to consolidate our programs. All the things that we've kind of alluded to before, there's the grand melding if you will of the annual risk assessments, our technical testing and all our processes that support our security program.

Fred Langston [49:13]

So, let's jump to the last poll question. In your opinion, would your ability to address security risk and compliance be improved or diminished in the event of an acquisition?

Mike Hamilton [49:26]

So, this is worded poorly so you don’t get to pick improved or diminished. So, improved is yes. Diminished is no. Let’s do that.

Fred Langston [49:39]

Thank you. Oh, look at that. All right.

Mike Hamilton [49:57]

It is a corollary of the Nyquist Sampling Theorem, that if your sample size is one, your anticipated error is 100%.

Fred Langston [50:09]

Exactly. Okay, we're getting some responses roll in here. We're going to move to Q&A right after this. We'll give it a second and it seems to be a neck-and-neck race. So, we'll give it another five seconds. Right. Okay. Well folks, here's some results to chew on. I think it's a pretty even split.

Mike Hamilton [50:34]

Still 50/50. Yeah.

Fred Langston [50:36]

Yeah, still pretty much 50/50. So, I'm sure there's a lot of great data behind these numbers. Unfortunately, we don't have time to cover it all today. So, let's open the floor to some Q&A. I'm sure this is probably peaked a couple questions out there. We'll turn it over I guess to our moderator to handle the Q&A for us.

HIMSS Moderator [50:59]

All right. Looks like we got a few questions loaded in here. So, I'll just start from the top. Here we have a question from an audience member asking, we just acquired a small clinic that signed a three-year contract with SIEM. I have my own technology stack and to increase operations in other ways. What do you recommend?

Mike Hamilton [51:25]

So, are you the acquired or the acquiring? I didn't understand that.

Fred Langston [51:31]

The acquired. Excuse me, acquiree. I’m sorry. We just acquired so it’s the acquiree.

Mike Hamilton [51:28]

Okay. So, okay. So, you're asking, what should we add to the stack?

Fred Langston [51:46]

Well, you just sign just through a three-year contract with a SIEM. You have your own technology act and you want increase operations in other ways. What do you recommend? What would you do with that contract, the existing at the acquired company?

Mike Hamilton [51:59]

I don't know. I think I'd want to look at how long that contract would last and then determine how long I had to make that decision. I don't want to dismiss it out of hand. It actually might be a very good thing. Outsourcing your security monitoring right now is … I think popular is the wrong word but this is something right now that shows a lot of value especially in the health sector. The health sector’s mission is patient care. It's not keeping the bad guys out of the network or managing the risk around these events or anything like. It's really about focusing on that core mission. If you hired at a company to outsource the monitoring detection response, I think it's going to depend on how effective they are.

Mike Hamilton [52:50]

It's a good thing to have in place but it's not an apples to apples comparison. A managed SIEM is not managed detection and response is not a managed security service provider, and there's nuances through there. So, depending on which we've contracted, I think that you'd have to evaluate what the right fit was for your organization. Just in terms of technology, there's going to be differences in the technology that haven't been implemented between the two organizations. That's purely looking at the contract and how long can we ride this thing out before we get the technology to be what we want. It would be a nice surprise if everybody was using identical technology, but it's not likely. I hope that answered the question.

HIMSS Moderator [53:37]                                                                                           

Great. Thank you so much. So, another question from an audience member. What is the most common issue you see during a penetration test after an acquisition?

Fred Langston [53:50]

Sure. I'll take that one. So, the thing that always I think is one of the surprises for us and usually when we come in, we find that there is some level of connection that has been made between the two networks. Commonly, it's, “Hey we just want to sync our EMR systems together or hey we just want a DR recovery so we can do some hot syncing between the sites.” What we invariably find is we can navigate our way and from a pen testing perspective over that connection and get from one organization to the other. That's a worst-case scenario. In my opinion, you have literally at that point said, “We're going with our lowest common denominator. Our security is what our lowest level is. Rather than protecting that high level you had before.” So, that's probably one of the things we see more commonly than I would ever expect.

Fred Langston [54:47]

The other thing we also find is things like patching. Critical function sometimes gets left behind. People stopped caring. They stopped doing things on the cadence and the rhythm that they had before. They're more concerned about maybe running and doing things for the acquisition and these things get forgotten, and now you have an organization that is carrying a significant risk level because they haven't done their patching. So, those are those are two pretty common things we see. Again, the second you connect those two networks together, you are taking the security of the lower organization.

Mike Hamilton [55:27]

I'm going to add one to that real quick. So, first of all, when a penetration test occurs, because we do penetration testing, we always win. We always get in. So, it's a foregone conclusion, you are secure until your ticket is punched, but I think the more interesting results for me is the fact that when you conduct a penetration test against an organization and it's a blind test, meaning that the folks that run the network, the security team, don't know what's going on and they don't know what's going on. They don't see it happening. They're not monitoring, and they can't even tell that their password database is being turned into oatmeal. I think that's an interesting result. The fact that if you treat it as a purple team exercise with no knowledge on the side of the defenders, if they don't see it's going on, that's a big warning sign.

HIMSS Moderator [56:21]

All right. We have another question in here, sort of a hypothetical. How about handling one organization with highly decentralized or outsourced security posture and the other very insource? How do you evaluate who's more effective?

Mike Hamilton [56:43]

I think that's going to be handled at the business level. I mean certainly you can establish metrics and you can evaluate both organizations on the basis of those metrics. So, again, minimizing the dwell time of malware is a reasonable metric to use, minimizing the cost per incidence, minimizing the frequency of incidents would be attesting to the quality of your preventive controls. I think really decisions like that, do we outsource all of our security to man security providers and consultants or do we bring it all in-house, is a pure business decision. So, this is going to be where you not only need to substantiate the quality of your security programmatics but the cost. Fred, [inaudible 00:57:36].

Fred Langston [57:35]

Yeah. Well, I think you hit the nail on the head. I mean it sounds like there should be some way to say, “Oh this one's better than the other.” I'm not sure that that's actually possible without a lot of detailed analysis. So, I think I agree with you Mike. It's about what makes the most sense for the business. I think if one organization has great success outsourcing, I think that's a strong indicator maybe you want to reorganize your program and say, “You know what? That outsourcing is cost effective. It's meeting a high bar and I can repurpose the people.” I'm currently having in my organization doing that.

Fred Langston [58:16]

I already have a test bed. I already know this works so I'm going to repurpose those people the things that are more important or equally important and have them put the time there because nobody has enough help. Nobody has enough security expertise on staff. So, I may repurpose those people and take advantage of that existing outsource contract. That may be a great way to introduce that to my organization with evidence so to speak, proof that this is a valuable service and has high efficacy. I think there's a lot to be said by looking at it as a business analysis.

Mike Hamilton [58:50]

Uh-hmm (affirmative).

HIMSS Moderator [58:54]

All right. Great responses. At this time, we do have to wrap up but thank you to both Fred and Mike for that terrific presentation

Mike Hamilton [59:03]

You bet.

HIMSS Moderator [59:03]

... and engaging Q&A. So, for the audience, please be sure to complete the evaluation at the conclusion of today's event and share your thoughts with us. As a reminder today's session, we'll soon be available on demand through the HIMSS learning center. Have a great day everyone.

Mike Hamilton [59:22]

Bye everybody.

Fred Langston [59:24]

Thank you.