With continuous changes in the information security landscape and high profile breaches being announced on a seemingly weekly basis, healthcare providers need to ensure they are properly securing protected health information (PHI). A lack of patient confidence can greatly harm your organization’s reputation and affect your bottom line.
In this environment, it is the responsibility of healthcare providers’ boards of directors (BoD) to guide their organizations’ cyber security efforts through informed decision making. This means that BoDs should be aware of the types and amount of data it possesses, security controls surrounding this data, risks facing the organization, and cyber security trends within the healthcare industry.
With the growing trend of hospital consolidation, the burden of maintaining security increases along with the size of an organization. Many health organization BoDs discover unexpected security obstacles after acquiring, or merging with, another organization. This can include different security policies, systemic vulnerabilities, and incompatible network infrastructures.
Discovering a data breach on an acquired healthcare provider’s network could have serious financial consequences. Department of Health and Human Services data shows that, in 2015, there have been 98 security breaches of healthcare providers affecting 500 or more individuals, totaling 1,228,022 compromised records.
A 2015 study by the Ponemon Institute showed that the average cost of a healthcare data breach is $363 per record ($398 per record for US healthcare providers). This means that US healthcare providers will likely spend a combined $488,752,756 on remediating damages from data breaches in the first half of 2015 alone.
SecureState has identified a number of security issues that frequently crop up during healthcare provider mergers and acquisitions (M&A). The acquiring healthcare provider (buyer) should ensure that it accounts for all of the following risks early in the M&A process, preferably during the letter of intent phase.
Current state analysis
It is crucial for the buyer to fully understand the current state of security at the prospective purchase (seller). The buyer should closely review the seller’s security policies, resources, and technology. This will provide a baseline to help the buyer identify control gaps and incompatibilities that require remediation. This should be coupled with a review of the buyer’s policies, resources, and technology to ensure that it fully understands risks facing its new organization. Ultimately, this review should uncover potential security vulnerabilities and provide the buyer with the knowledge to make informed acquisition decisions.
The information security assessments of each organization should include identification of the types, location, and impact of all data. Although the seller may understand how and where data (especially PHI) resides within its environment, the buyer should not assume this understanding is complete. Due to the inter-connectivity between supporting groups and interrelationships between business processes, data tends to reside in systems, applications, databases, and file shares that do not provide necessary information protection, authentication, and confidentiality. The buyer should conduct proper due diligence to ensure that all data is accounted for and secured according to the appropriate regulations (including network and business segmentation).
Properly allocated resources
Based on SecureState’s experience, mid-sized hospitals typically have small security teams. If a mid-size hospital purchases one, or multiple, smaller hospitals, the security team is suddenly responsible for a larger, more diverse footprint. The buyer should ensure that it scales security resources to meet the increased demand. This can be done through new hires or third party vendors.
The buyer should already include thorough hardware and software asset inventories as part of its M&A process. Most asset management systems do not accurately track networked devices like insulin pumps, MRI machines, CT machines, and other medical devices. Since hospitals share the burden of securing these systems in conjunction with the manufacturer, it remains critical to accurately inventory these systems and identify potential rogue devices.
The buyer can integrate security into this process by developing a strategy for securely consolidating the different organizations’ assets; develop processes for continuous network scans to identify new devices, especially those not normally managed by internal tools; and maintenance processes that encompass all assets.
The buyer in a hospital acquisition is not just buying a facility, they are also buying a large amount of medical hardware and software, many of which have associated contracts with third party vendors. Even if the seller has vendor management processes in place, they may differ from the buyer’s and not meet the same security standards. The buyer should reassess all of the seller’s vendors according to an established, effective vendor management process. This can include questionnaires, technical validation, and onsite audits.
The seller’s and buyer’s employees may have different expectations regarding their security responsibilities. For example, they may require documents to be classified using different labels, records handled in different manners according to the classification, different password length and complexity requirements, and different incident reporting structures. The buyer should closely review its and the seller’s policies, along with security best practices, to develop consolidated policies that meet the business needs and operational realities of the newly consolidated organization.
Hospital M&As can be high risk propositions resulting in unexpected costs, disruptions in patient care, and dissatisfied employees. The last thing hospital BoDs want to deal with during a merger is the fallout from a data breach. Accounting for security concerns early in the acquisition process should help hospital BoDs protect sensitive data, reduce the chance of paying penalties, and facilitate the development of sustainable security practices.