Getty Images/iStockphoto

3 Strategies for Healthcare Merger, Acquisition Cybersecurity Due Diligence

Assessing the target company’s cyber resiliency and establishing a list of non-negotiables are among the top strategies for conducting healthcare merger and acquisition cybersecurity due diligence.

Healthcare merger and acquisition (M&A) revenue reached a record high in the second quarter of 2022, as more healthcare organizations sought to join forces, improve quality of care, and lower healthcare costs.

Conducting due diligence is a crucial part of any M&A transaction, as it allows buyers to assess the target company’s financial posture and capabilities, and risk factors. But in addition to evaluating finances and operations, buyers must also consider the company’s cybersecurity posture. 

“Like other types of diligence, it is useful to understand the overall cyber maturity and cyber resiliency of the asset that you're purchasing and understanding what they have in place to both help reduce the potential likelihood of some sort of incident from occurring, as well as the potential impact if something were to occur,” Christina Powers, partner of cybersecurity at West Monroe, explained in an interview with HealthITSecurity.

“Really [diligence] is just understanding what it is that you're purchasing, what the associated risks are, and then giving you the opportunity to start to plan for what needs to be addressed and what that roadmap looks like for addressing any of the cyber risks that come up as part of the process.”

Essentially, the cybersecurity due diligence process allows the acquirer to gain a thorough understanding of the target organization’s cybersecurity posture.

“Healthcare is an industry in itself that is not the same as high tech, software, or education,” said Nathan Ray, partner at West Monroe. “In those spaces, you have a fairly defined set of capabilities and risk factors.”

Ray, who leads the firm’s healthcare M&A practice, noted that any healthcare organization has a variety of software, hardware, and workflows to secure across the enterprise, all of which have varying risk levels.

The dynamic and complex nature of the healthcare ecosystem makes it even more imperative that healthcare organizations undergo a comprehensive cybersecurity due diligence process to help them manage risk, maintain resiliency, and keep operations running smoothly throughout the M&A process and beyond.

“Those that go through M&A processes end up stronger in fairly short duration after a process, as it might be the first time they've really been held in light of what they need to do to be resilient and secure,” Ray added.

It is important to note that the due diligence process may look different depending on the type, size, and scope of the target company. However, there are still core risk areas that organizations should always consider during this period.

Assess The Company’s Resiliency, Data Protection Practices

Powers identified two key components to consider when assessing an organization’s resiliency. First, the buyer should consider how the target organization is protecting its data, especially given the highly sensitive data that healthcare entities interact with.

Second, buyers should evaluate how the target organization is protecting its critical assets and operations.

“Whether that's looking at being able to provide care or to continue to maintain systems that are used to provide care, making sure that you're considering the implications of those types of threats and understanding the risk mitigation that's in place against each of those is really important and can also impact the value of the asset that you're purchasing or acquiring,” Powers noted.

Buyers can gain visibility into an organization’s resiliency by looking at key technical and administrative controls, such as how the company handles identity and access management.

Organizations should assess how the company manages who has access to what data, whether the principle of least privilege is being applied, and how administrative-level access is managed, Powers said. This is also a good time to look into whether an organization has implemented multi-factor authentication (MFA) to further protect data from unauthorized access.

“Another piece that I think is important is understanding how systems are being monitored and how unusual or malicious activity can be detected,” Powers continued.

To do so, M&A cybersecurity due diligence experts may focus on endpoint detection and response (EDR). EDR allows organizations to monitor threats in real-time and maintain visibility into servers, SaaS applications, and workstations across the enterprise. A comprehensive EDR solution is a good sign that an organization knows how to identify cyber threats.

“Another key piece is around backups and understanding how systems and data are being backed up and then how those backups are being protected,” Powers explained.

“A lot of times if we look at something like a ransomware event, the attackers oftentimes try to go after the backups first because they know that that's what you're going to rely on to be able to restore systems and restore operations.”

Maintaining reliable, offline backups is crucial to being able to resume operations quickly in the event of a cyberattack.

In addition to backups, Powers noted the importance of user training and awareness programs and incident response plans. HIPAA requires covered entities to implement these administrative safeguards, but the process for doing so may look different depending on the organization.

Identity and access management, endpoint detection and response, backups, user training and awareness, and incident response are key areas to assess during the M&A cybersecurity due diligence process.

Establish A List of Non-Negotiables

If the target organization does not have comprehensive controls in place for one or more of these areas, further action may be needed to ensure that the organization improves its security posture.

“We've seen more recently that private equity firms or strategic acquirers are looking at a list of non-negotiables that they want to have in place either before the transaction closes and before they integrate two organizations,” Powers noted. 

“And then looking at it from a transaction perspective, there can be levers pulled in the negotiation where potential purchase price could be modified to cover some of the gaps that may be identified as part of diligence.”

Establishing a list of non-negotiables quickly can help both the buyer and the target organization prioritize areas of improvement and ensure that the two organizations are ready to integrate.

It may not be feasible to require the target organization to make widespread changes immediately, especially depending on the timeline of the acquisition. However, it is crucial to get these practices in writing and establish a clear plan for security improvements to ensure the transaction and subsequent integration goes as smoothly as possible, especially in healthcare.

“Having a hospital have their IT systems go down is very different from having a retail business have their systems go down. The significance of an attack in healthcare is so much more impactful than in some other businesses,” Powers suggested.

 “And so it's really important to understand what the fallback measures are if something were to happen.”

Remember That Cybersecurity is a Continuous Process

The due diligence process is a good opportunity to assess key risk areas and know what the company is getting into before acquiring or merging. However, Powers noted, cybersecurity is not a “one-and-done” process.

“Whether it's the hold period, if it's a private equity-backed acquisition, or just throughout the life of the company, it's important to keep considering cybersecurity,” Powers emphasized.

“What worked a couple of years ago isn't what's going to work for you in a few years. You may be growing, divesting parts of the business, et cetera, or using technology in different ways, providing different services.”

As healthcare organizations know, cybersecurity must be a continuous effort rather than a compliance checkbox. The same goes for mergers and acquisitions.

“It is important to understand upfront the overall maturity and risks of the company,” Powers acknowledged.

“But it is also important to consider throughout the lifecycle and make sure that you're staying on top of the latest threats, continuing to evolve what you're doing from a cyber perspective, and then, especially if you are going up for sale, making sure that you're addressing a lot of that beforehand to make yourself a more attractive acquisition target.”

Next Steps

Dig Deeper on Cybersecurity strategies