We’ve all heard the stories about botnets and ransomware triggering nightmares for hospitals and healthcare facilities. From an operational standpoint, managing security risk couldn’t be more critical.

But healthcare is a hot industry — and many companies in the space are attracting purchasing interest from even larger organizations. These same healthcare cybersecurity vulnerabilities represent a massive stumbling block on the road to acquisition.

Healthcare Cybersecurity Surprises

A May 2018 study from consulting firm West Monroe Partners revealed that 58 percent of buyers discovered a cybersecurity problem at an acquired healthcare company after the deal was done. What’s more, 49 percent of buyers reported dissatisfaction with the cyber due diligence process during the deal.

The study uncovered several recurring themes, including a lack of robust cybersecurity infrastructure (30 percent), vulnerability to insider breaches (26 percent) and a lack of personnel with in-depth knowledge about cybersecurity issues (24 percent).

Cybersecurity clearly isn’t getting the resources it requires.

Inadequate cybersecurity resources are not a unique concern for the healthcare industry, however. Implementing best practices for internal security is a common challenge among growing and established industries. So, what gives?

Protecting Data: A Matter of Priority

Sean Curran, senior director of security and infrastructure at West Monroe Partners, said healthcare is not alone — all industries are struggling with resources.

“With healthcare, in particular, the challenges are more pervasive,” Curran said. “We like to think of it this way: If I have a budget, would I rather spend the money on keeping people alive and providing care or spend it on protecting data?”

For some small companies, Curran found that just keeping up with all the regulatory controls inherent within the industry is a monumental task.

“Perhaps they are assessing themselves with rose-colored glasses,” Curran said. “They think they are doing the right thing, but when you run a business as a small entity, every dime you make you want to put it into the business and don’t want to spend on security. They are only looking at how they run the business today and not five to seven years from now.”

Cyber Due Diligence

For healthcare companies going through mergers and acquisitions, the proper due diligence process can make or break a deal. Brad Haller, director of mergers and acquisitions at West Monroe Partners, compares due diligence to getting a home inspection: Before buying a house, an inspector must come in to ensure the foundation is stable, the windows are tight and everything is generally safe.

“Due diligence allows an investor to have the proper data with which to make an informed bid, and can determine how much they are willing to pay for the business,” Haller said.

The necessary due diligence for healthcare is also equally critical for other industries. According to Haller, the firm was surprised at the survey’s numbers — mainly that dissatisfaction with cybersecurity was the top issue. To the acquiring businesses, he noted, it’s challenging to assess the security of a company based on contracts and a few phone calls.

“To understand the security posture of a business, you need to do things like a threat hunt, have deep conversations with the privacy officer, the CISO [chief information security officer] … it’s part of diligence,” Haller said. “Companies may not want to show that they have vulnerabilities.”

Changes for Healthcare; Takeaways for the Enterprise

As big tech continues to establish its presence in the industry, many of these cybersecurity issues are sure to improve — but challenges remain. Curran stressed that perhaps the biggest problem in healthcare is something we hardly even think about: a doctor’s password.

Think about it: A doctor doesn’t want to change his or her password every 30 days with a complicated process. What’s more, a July 2017 study from Healthcare Informatics Research revealed that 74 percent of medical professionals admitted to sharing access credentials with others.

“That’s not going to change if you’re owned by big tech,” Curran said. “If that doctor doesn’t want to play by the security rules, they will win out, and security will take a back seat. To them, if security is in the way, they may not be able to access critical data or a critical situation.”

When faced with a challenge like this, big tech may be in a better position to get creative about solving these problems. However, until this changes in a cost-effective manner, Curran warned, we will not likely see significant change.

If companies who know they are being purchased still have security issues, what does that say about the enterprise in general? Perhaps it’s worse than we expected.

Sellers can take proactive steps in due diligence to ensure a smoother acquisition process, including:

  • Perform a thorough threat hunt.
  • Conduct security training and enforce best practices for employees at all levels.
  • Deploy cybersecurity technologies across your digital infrastructure.
  • Be open and honest with your buyers, and recognize that you won’t get the price you want if you’re not forthright.

What do you need to do? Look in the mirror. Be open and honest about where you stand and where you need to be. Perhaps that self-awareness is the catalyst to begin properly mitigating risk.

More from Healthcare

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Healthcare Breaches Costliest for 12 Years Running, Hit New $10.1M Record High

IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks. In the 2022 report just released, the healthcare sector stands out for extremely high breach costs on the global average chart. Furthermore, the sector has kept its leading position in that respect for the 12th year in a…

Incident Response for Health Care IT: Differences and Drivers

Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.Some…

Hospital Ransomware Attack: Here’s What a Cybersecurity Success Story Sounds Like 

Major ransomware attacks are scary, but against hospitals, they are even worse. One notable attack in August 2021 forced Ohio’s Memorial Health System emergency room to shut down (patients were diverted to other hospitals). In all hospital attacks, the health, safety, privacy and lives of patients face risk. But this incident also shows that whether targets are hospitals or any other kind of organization, the time and money spent preventing attacks is almost always worth it.  But what do you do…