Healthcare Mergers and Acquisitions: A Prescription to Improve Security Before Migration

IT Healthcare

Several forces are combining to create a historic period of consolidation in the healthcare industry.

Increased competition, a shift to outcomes-based reimbursement models, and an overall need to widen the scope of care while reducing costs are driving more and bigger M&A deals. In fact, according to Thomson Reuters, healthcare M&A deals totaled US$672.9 billion during 2015, which was a 71% increase from 2014.

Integrating two distinct organizations is difficult in any industry. But regulatory burdens alone, such as HIPAA compliance, set healthcare apart from other industries. And technologically, the widespread use of proprietary systems in healthcare makes integration a significant challenge.

Modernization and Consolidation

Difficult though it may be, more and more IT departments in healthcare organizations find themselves tasked with modernizing or consolidating underlying infrastructures such as Microsoft Active Directory and Exchange Server. These are projects that can last for years. If the project is successful, no one notices. If the project goes south, IT gets the blame. It's basically a no-win proposition for you.

A key focus of the integration should be on reducing risk and avoiding disruption. That means maintaining security and compliance measures throughout, reporting on status regularly, and establishing clear permissions, privileges, and access rights. It also means having a clear backup plan in place in case things go wrong.

Some factors to consider when planning for your integration project:

Security – The acquirer in a healthcare M&A project needs to understand what kinds of liabilities they may be inheriting. If possible, those vulnerabilities should be eliminated before combining systems.

Healthcare organizations are sitting ducks for hackers and insider threats. Ransomware, spearfishing and viruses are common tactics, resulting in failure to achieve HIPAA compliance, identify/data/PII theft, loss of reputation, loss of customers, litigation, fines and more. In 2016, Ransomware encrypted data on an entire hospital system. After consulting with the FBI, the hospital threw theirs hands up in the air and paid to unlock their systems.

Because of the fluid nature of people coming and going, hospitals are also easy targets for social engineers. Complicating factors are the many endpoint devices in the hospital. Cellphones, dumb terminals, laptops/PCs, electronic medical devices, iPads, and more! With so many people coming and going, physical theft is an attractive option, by insiders and outsiders. But often, hackers use social engineering, tricking hospital staff to divulge information or download malware. 

A few months before an M&A deal goes through is the wrong time to discover a security breach.

Access management – Because of the regulatory obligations they are under, healthcare organizations need to be particularly diligent when it comes to access policies. There are a lot of different classes of users in healthcare that you don’t often see in commercial organizations.  Compliance is a key driver for getting identity and access management right, but so is plain old security.

Automation is Possible

The good news is that these efforts can be automated, resulting in systems that are simpler, cleaner, more secure and compliant, if your team takes the right approach.

We can help you find the right approach, using our consulting expertise and award-winning technologies. We'll help you improve security, ensure compliance and simplify AD and Exchange consolidation, with an integration process to carefully manage your project before, during and after the actual merger.

Related Content