Cybersecurity Threats During Healthcare M&A

When thinking about healthcare mergers and acquisitions (M&A), typical risks that come to mind may include overpayment or synergies that don’t materialize. However, if cybersecurity risks aren’t properly assessed during the M&A due diligence process, what seems like a dream deal can quickly turn into a nightmare scenario.

Given that the average number of days to detect and contain a data breach is 277 days, an intruder breaking into a company on New Year’s Day would not be identified and eliminated until just before Halloween. This number of days, known as dwell time, is an incredibly long period and could mean that an intruder who gained access before an M&A deal was initiated might not come to light until after the deal was signed. The stakes are raised by the average cost of a data breach in the healthcare sector, which is more than $10 million when hard costs and lost business are factored into the equation.

The cybersecurity risk that healthcare M&A presents is heightened concerns about compromise of confidential health information. When healthcare organizations are merged, this includes combining the appropriate technology systems, along with their respective cybersecurity vulnerabilities. As organizations grow, comes the reality that exponentially larger data breaches can occur, affecting data shared across the organization.

An example of this risk was a ransomware attack on a Chicago-based hospital chain that had been merging. Before the mergers and acquisitions, the attack was limited to a few hundred thousand patients, but because of the sharing of data throughout the chain, the incident is believed to have affected millions of patients from dozens of hospitals operating in more than 20 states. Because mergers and acquisitions create massive healthcare systems, it is imperative that new entrants do not introduce a weak link in the cybersecurity chain.

The best way to avoid the cybersecurity pitfalls associated with M&A is to consider conducting a targeted cybersecurity and technology assessment of the target environment during the due diligence process to identify any risks and establish a plan and costs for resolving them. Depending on the results of the assessment, it may be determined that significant risks exist and that more aggressive assessment and remediation procedures are required. For example, a detailed assessment of compliance activities may be conducted to ensure that there are no significant gaps in meeting HIPAA or other regulatory requirements. Armed with an understanding of the cybersecurity risks and the target technology, the acquirer can then factor the associated costs into the bid calculation.

Citrin Cooperman can assess your healthcare objective using our proprietary risk assessment tool called SCORE Report, which identifies and ranks any risks, explains why they pose a risk from both a business and IT perspective, and provides recommended solutions and estimated resources to mitigate or eliminate those risks. Should any advanced technology or cybersecurity threats be discovered, Citrin Cooperman has a deep bench of experts who can strategically and effectively mitigate them.

The cost of taking a proactive approach to assessing and responding to cybersecurity threats is significantly lower than taking a reactive approach and will help avoid any disappointments associated with surprises revealed after the transaction has closed.

For more information about assessing technology or cybersecurity risk in M&A, please contact our Healthcare Transactions team or email Kevin Ricci at [email protected].

“Citrin Cooperman” is the brand under which Citrin Cooperman & Company, LLP, a licensed independent CPA firm, and Citrin Cooperman Advisors LLC serve the business needs of clients. Both firms operate as separate legal entities in an alternative practice structure. Citrin Cooperman & Company, LLP and Citrin Cooperman Advisors LLC are independent member firms of Moore North America, Inc. (MNA) Association, which itself is a regional member of Moore Global Network Limited (MGNL). All MNA affiliated firms are independently owned and operated entities. Their membership in or affiliation with MNA should not be construed as constituting or implying any partnership between them.