In the evolving healthcare landscape, mergers and acquisitions (M&A) have become a cornerstone strategy for health systems seeking operational efficiencies and expanded care delivery. However, the convergence of multiple organizations introduces a unique set of cybersecurity challenges. Greg Sieg, CISO for the University of Michigan Regional Health Network, provides valuable insights into managing cybersecurity during these critical transitions.
Scroll down to watch or listen to the full interview; or subscribe to healthsystemCIO on your favorite podcasting channel
M&A Complexity and Cybersecurity
For health systems, M&A activity creates a trifecta of challenges spanning the pre-merger, post-merger, and integration phases. Sieg’s leadership spans multiple entities, including Michigan Medicine, University of Michigan Health West, and University of Michigan Health Sparrow, offering a firsthand perspective on these complexities. “We’re essentially in multiple phases at once,” Sieg explains. “With West, we’re three-quarters of the way through integration, while Sparrow is at the beginning stages. Each stage demands unique strategies to maintain communication, align teams, and secure systems.”
This simultaneous management underscores the intricate dynamics of healthcare M&A, where varied organizational cultures, IT infrastructures, and security protocols must coalesce under a unified framework.
Communication: The Bedrock of Successful Integration
Throughout the M&A process, Sieg emphasizes the critical role of communication in aligning cybersecurity priorities across merged entities. “Open lines of communication are key,” he asserts. “It’s about ensuring CTOs, CIOs, and frontline staff stay informed, enabling teams to move in the right direction together.”
Establishing trust between cybersecurity teams is particularly crucial on “day one” of a merger when risks are most acute. Sieg elaborates: “You’re meeting people for the first time and addressing potential vulnerabilities immediately. Clear and transparent communication with leadership and frontline staff helps build the trust needed to identify and mitigate risks effectively.”
Strategic Tools and Application Rationalization
Standardization across IT systems is often seen as a critical objective in the integration phase. Yet Sieg advocates for a pragmatic approach: “We’re calling it a ‘do-what-makes-sense’ approach. We’re not ripping things out just to rip them out. Instead, we assess contracts, prioritize by need, and align our tools and strategies to address gaps.”
This method enables his team to evaluate which tools provide the best functionality while balancing the need for seamless integration. “We were fortunate to find that many of our major security tools were already aligned, reducing the need for drastic changes,” Sieg says.
An essential early step in Sieg’s playbook is inventory management. “One of the first things we did was inventory our tools and contracts,” he notes. “Understanding what you have, and where the gaps are, allows you to create a roadmap for rationalization and risk mitigation.”
Addressing the New Risk Profile
One of the most immediate concerns post-merger is the heightened risk profile. Sieg describes this as a pivotal focus: “Day one is all about identifying red flags—unpatched vulnerabilities, exposed systems, or any other risks that could compromise security. You don’t have time to wait. It’s head-down work to ensure systems are secure and operational.”
He highlights the need for collaboration with the acquired entity’s security teams: “You need to understand their biggest risks and fears quickly. It’s not about dictating but building a shared understanding of the priorities.”
Challenges Beyond M&A: AI, Cloud, and Machine Identities
While mergers are a central focus, Sieg is keenly aware of broader cybersecurity trends impacting health systems, particularly AI and cloud migration. He observes the dual-edged nature of AI: “AI has made phishing attacks more sophisticated, but it’s also driving innovation in security tools. The key is staying ahead of the curve, leveraging training and governance to mitigate risks.”
Similarly, the shift to cloud-based systems introduces opportunities and challenges. “The cloud offers speed and scalability, but it also increases the risk of misconfigurations leading to vulnerabilities,” Sieg warns. His team emphasizes robust training and vigilant monitoring to navigate these risks effectively.
Sieg also flags the rising threat to machine identities, particularly in the context of ransomware attacks. “Machine accounts are often overlooked — they don’t have regular password resets or multi-factor authentication, making them ripe for exploitation. Protecting these accounts is becoming a top priority,” he asserts.
Lessons for IT Executives
Sieg’s experience offers actionable takeaways for IT executives navigating similar landscapes:
- Prioritize Communication: Open and transparent communication across teams is critical to aligning priorities and building trust.
- Adopt a Strategic Approach: Focus on what makes sense for your organization rather than rushing into standardization. Inventory management and risk assessment are foundational steps.
- Stay Ahead of Trends: Embrace AI and cloud technologies while ensuring your team is equipped to handle their unique challenges.
- Address Overlooked Risks: Pay attention to machine identities and operational technology vulnerabilities, which are increasingly targeted by cyberattacks.
A Vision for the Future
Sieg’s passion for cybersecurity shines through in his advice for peers. “Find what you love and work toward it,” he says. “Cybersecurity is about helping people, and if you’re passionate about it, you’ll succeed.”
As health systems continue to expand through M&A, Sieg’s insights offer a roadmap for navigating the cybersecurity challenges that inevitably arise. His measured approach serves as a reminder that success in this domain is as much about collaboration and communication as it is about technology.
“The goal,” Sieg concludes, “is not just to integrate systems but to build a culture of trust and security that supports the mission of delivering excellent patient care.”
Podcast: Play in new window | Download (Duration: 33:07 — 22.7MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Share Your Thoughts
You must be logged in to post a comment.