Ascension’s acquisition of Presence Health in August is just one in a series of healthcare mega-mergers announced this year. In July, Beth Israel Deaconess Medical Center and Lahey Health signed a deal that will create Massachusetts’ second-largest health system; Greenville Health System and Palmetto Health also announced plans to join forces and create South Carolina’s largest health system. The medical device market has seen its share of major deals as well, including Abbott’s $25 billion acquisition of St. Jude Medical and Becton Dickinson’s $24 billion purchase of C.R. Bard.
As more deals unfold and the due diligence process ensues, a significant hidden risk often sits on the sidelines: cybersecurity risks. Too often in the deal-making process, cyber is viewed as a check-the-box compliance issue and given lower priority. But with the escalating impact, scale and complexities of cyber issues, companies can no longer afford to breeze over it.
The Price of Inattentiveness
Research suggests that a high-profile cyber breach can have an immediate cooling effect on the prospects of a deal. In a recent survey of 276 directors and officers of public companies by Veracode and NYSE Governance Services, 22 percent said they would avoid acquiring a company that had recently suffered a high-profile data breach; 52 percent said they would consider it, but only at a significantly lower value. Not only are data breaches financially expensive, with one stolen electronic health record costing an average $380, but they can create significant reputational harm.
For a prime example of how cybersecurity can affect deal value, we can look outside the healthcare industry to Verizon’s acquisition of Yahoo. Following revelations that more than a billion user accounts had been compromised in a massive data breach, Yahoo had to slice $350 million off its asking price.
Even after a deal is closed, cyber issues can rattle companies. Case in point: Abbott Laboratories landed in hot water with the Food and Drug Administration (FDA) earlier this year for failing to properly investigate and address the cybersecurity vulnerabilities of implanted heart devices that it acquired when it purchased St. Jude Medical in January. In April, the FDA issued a letter condemning St. Jude for denying claims that the external devices used to transmit and receive data from its pacemaker and defibrillator systems were vulnerable to hacking. While Abbott claimed that the issues happened before the takeover was completed and issued a security patch shortly after the deal closed, the FDA still held them responsible for not doing enough to adequately resolve the issue.
Threat Levels Rise
The Abbott situation simply put a spotlight on new security vulnerabilities that are arising alongside the growing pool of interconnected devices in healthcare. Millions of medical devices have been installed in the U.S. over the past decade—many of which were created with older, less sophisticated security measures. Regardless, healthcare providers are on the line to ensure these devices are keeping both patients and their information safe. Richard Staynings, principal and cybersecurity healthcare leader at Cisco, highlighted medical device companies and healthcare providers’ cyber Catch-22: Medical device vendors fear losing their FDA certification if they surface a security problem that requires patching their medical devices; meanwhile, healthcare facilities are reluctant to take devices like CT scanners offline to install security patches since they are used so frequently.
Hackers are increasingly targeting healthcare organizations as well. The Protenus mid-year Breach Barometer tracked 233 healthcare data breaches in the first half of 2017, impacting more than 3 million patients. There were 75 hacking incidents and 29 ransomware incidents, although experts suggest these are largely underreported right now. Experian’s data breach forecast highlights ransomware as a top concern for the industry—although there have been fewer incidents, the consequences are more severe. Hackers have discovered that most healthcare organizations are willing to simply pay the ransom because the disruption is potentially catastrophic to business operations and patient safety. Experian predicts that ransomware attacks may escalate from “simply locking systems to outright stealing information to either sell or leverage for identify theft.” With personal health information among the most lucrative data to steal, and healthcare IT systems largely viewed as weak, the industry is expected to remain a top target for financially motivated attacks. And with human lives at stake, it’s a prime target for cyber warfare.
Why Compliance Isn’t Enough
Compliance audits and logs are frequently the default source of information to evaluate cyber risks during the due diligence process of a deal. The problem with that approach? Compliance takes a “just enough” attitude to meeting minimum standards. It doesn’t provide insight into how the organization monitors, tackles and resolves cyber issues. It lacks critical security insights, such as:
- Security incident logs, which detail historical and current incidents and how they have been resolved (or not)
- What kind of access employees have to software applications and the varying levels of security
- How cybersecurity is woven into the organizational culture
- Third-party and vendor cyber policies and risks
Further, regulators can take some time to catch up to issues already happening in the industry. For example, it wasn’t until July 2016 that the HHS Office of Civil Rights issued guidance on ransomware attacks. While companies may escape regulators’ wrath if they only do the bare minimum, they can expect to take a hit in the court of public opinion—resulting in real losses in share value.
Digging Deeper into Cyber Issues
Buyers and sellers alike must proceed with extra care in evaluating cyber issues when entering into any kind of transaction with another healthcare company. To effectively assess cyber risks, the following steps should be taken as part of the due diligence process:
1. Conduct a cyber risk assessment. Determine the current state of the target organization’s cyber risk profile. Performing a cybersecurity risk assessment is far less expensive than the fines, reputational damage and regulatory issues that arise following a cyber incident. A risk assessment and gap analysis can help quickly assess current policies and operations, identify gaps and prioritize remediation initiatives.
2. Take inventory of sensitive target company data. The increasing frequency and severity of threats emphasizes the need for companies to implement strong information governance policies to achieve compliance and mitigate information-related risks. Understanding what kind of data an organization has, where it resides, who has access to it both inside and outside of the organization, and how it’s protected is key to prioritizing and developing a mitigation strategy for the highest risks. Protecting potential new assets as part of a deal is key, but having this knowledge can also help maximize the value of the deal.
3. Examine insurance plans to ensure adequate levels of cyber coverage. Cyber insurance may be purchased as a stand-alone policy or included as an additional coverage under a professional liability policy. Coverage levels and terms, however, may vary greatly. Acquirers should evaluate current policies and levels of coverage, particularly if cyber coverage is added to another policy form. This may help to ensure the target organization—and subsequently the acquirer—is properly protected from losses associated with a cyber incident.
4. Perform a thorough analysis of a target entity’s IT systems and functions. This type of analysis can help identify underperforming areas that introduce risks or optimization opportunities that can create additional value, which could serve as critical bargaining chips during deal negotiations. The process should consider policies, processes and services, facilities (data centers and other processing centers), wired and wireless networks, identity and access management, hardware and operating systems, applications and data, third-party vendor risks, business continuity and disaster recovery plans, social media and big data.
While regulatory guidance and rules are still evolving around healthcare cybersecurity measures, it’s not the time to be lax. When you buy a company, you’re not only buying their data; you’re taking on the security risks that come with it.
By John Riggi and Patrick Pilch Warren Averett is an independent member of the BDO Alliance USA. This article was borrowed with permission from BDO USA, LLP