Given the fact that cyber breaches can wreak near apocalyptic levels of disruption, it’s not surprising that acquiring health systems want to know as much about an acquiree before, during, and after a merger as possible.
The topic was tackled during the recently held HIMSS Healthcare Cybersecurity Forum in a discussion by Todd Greene, SVP and CISO at Advocate Health, and Adam Greene, Partner at Davis Wright Tremaine, during which the duo touched on the importance of cybersecurity diligence, compliance, and the strategic integration of acquired entities to safeguard sensitive data and minimize risk.
Todd Greene stressed that robust cybersecurity measures must be prioritized early in the M&A process to prevent vulnerabilities from jeopardizing the combined entity post-acquisition. For instance, organizations should conduct thorough risk analyses, including vulnerability assessments and penetration testing, to reveal potential security gaps and protect sensitive health information.
Adam Greene pointed out that the accuracy of pre-merger disclosures around risk and previous incidents has become a significant area of concern for acquiring entities. What buyers want to see are proactive measures, like having privacy and security policies unique to each organization rather than generic, one-size-fits-all plans.
Due diligence was emphasized as the foundation of a secure acquisition. Todd Greene highlighted the importance of a gap analysis to identify immediate security deficiencies in the acquired entity. He recommended developing a comprehensive cybersecurity integration plan based on this assessment, which helps streamline disparate systems, promote best practices, and align policies across entities. He also noted that there are different phases in the process, with pre-merger due diligence constituting one, then post-merger but pre-integration, and finally the connecting of the two digitally.
Adam Greene explained the role of a “disclosure schedule” during due diligence, where organizations list any material non-compliance with regulations, such as HIPAA, to prevent post-deal surprises. This approach ensures transparency, as buyers are informed of any potential risks related to the acquisition’s cybersecurity practices. Todd Greene further advised checking for indicators like the existence of a protected health information (PHI) inventory or robust security policies, both of which signify a higher level of cybersecurity maturity.
A critical factor in successful M&A is the establishment of broad governance councils with decision-making authority, rather than relying solely on internal IT teams. These councils, comprising representatives from different organizational areas, provide oversight and drive alignment on cybersecurity strategies. Additionally, implementing robust change management practices enables organizations to adopt best practices from both sides of the merger, while also addressing variations in cybersecurity procedures.
Todd Greene suggested creating a spreadsheet with essential questions answered by both entities to assess compatibility and determine areas needing attention. This approach provides a quick, color-coded snapshot of risk areas, ensuring that both entities operate on the same security level and facilitating a smoother transition.
Adam Greene stressed the importance of realistic representations in compliance documentation. Instead of claiming perfect compliance, he recommended acknowledging efforts to meet standards, as no organization is flawless. This honesty helps buyers better understand the true legal risks. Documentation of efforts, especially for organizations with previous security incidents, serves as a safeguard during audits or legal inquiries.
He also discussed the concept of “materiality thresholds” to guide due diligence priorities. Understanding what constitutes a material risk helps organizations decide which compliance deficiencies to disclose, streamlining the M&A process and managing expectations effectively.
Both Todd and Adam Greene emphasized the need for comprehensive risk assessments. Adam Greene recommended a mature risk analysis as an essential step post-acquisition, focusing on both the likelihood of security incidents and their potential impacts. For instance, small practices with limited cybersecurity prowess may have higher risk due to their limited resources, potentially exposing the larger healthcare entity to greater liabilities post-acquisition.
In line with these precautions, Todd Greene advised conducting post-M&A cybersecurity assessments by independent third parties. Such assessments evaluate the acquired entity’s security level and validate previous testing results, providing a clearer view of the new security landscape.
For healthcare organizations navigating M&A, proactive collaboration between security and legal teams is crucial. Both Todd and Adam Greene noted the importance of being involved early in the acquisition process, even before the deal closes. By fostering these relationships, CISOs and other security professionals can voice potential risks and contribute to a secure and successful integration.
Share Your Thoughts
You must be logged in to post a comment.