Hospital mergers and acquisitions are now considered common practice among the healthcare industry in the United States. In 2017, over 50 hospitals merged to capture economic benefits and to position themselves in the rapidly evolving landscape of healthcare. Merging two or more organizations creates systems of complexity, as cybersecurity thought leader Bruce Schneier noted: “The worst enemy of security is complexity.” Ironically, the focus tends to shift away from information security during an M and A, putting organizations at risk of security incidents and breaches. Below are five M&A security issues to consider.
1. Information Security Policies
Merging organizations need to consider how they will align their separate information security policies. The newly merged organization needs to be consistent with its plans to ensure transparency and continuity, not haphazardly use policies from the previously separate entities. The merged company has three options moving forward: 1) Pick one group of policies from the previously independent companies and disregard the rest, 2) Write policies from scratch or 3) Consolidate the policies. Once systems are aligned, then gaps must be assessed to develop a new information security strategy and then take it from that point forward.
2. User Identities and Access Management
The organization should ask itself how employee access and user identities will be defined. Often-times when a merger occurs, a large influx of users enter the network. Many of these users also become “unknown” allowing them to perform activities without monitoring and sanctioning, putting your organization at security risk. Users should be identified and given consistent employee access for their role. Healthcare organizations are using FairWarning’s patented Identity Intelligence technology within their PPI Platform to automate the correlation of detailed user information from HR and application logs to create accurate and centralized user profiles. Identity Intelligence offers enhanced security by providing the clearest picture possible of users and their behaviors within an organization.
Once users are clearly identified, the “principle of least privilege” should be applied where users are given only the permissions necessary to perform their job role.
3. Third Parties
56% of businesses reported experiencing a third-party data breach in the last year according to a 2017 Ponemon Report on Data Risk in the Third-Party Ecosystem. Non-employees such as vendors and contractors may have substantial access to the organization’s information assets. As with employees, the newly merged company must decide upon consistent access standards for its non-employees and how those standards will be enforced. Furthermore, with stronger user identities, third- party employees can be better tracked and monitored.
4. IT and Incident Response
The newly merged company contained previously separate IT teams. Before any incident occurs, the organization must map out a coordinated incident response to avoid any finger pointing or blame trading. The organization should determine how it integrates monitoring and incident response capabilities and tools. It is essential the organization respond swiftly and in an organized manner to information security incidents
5. Confidential Data in the Cloud
Healthcare organizations already have a large volume of sensitive data such as ePHI contained in multiple cloud applications and information systems. Merging two organizations increases the volume of confidential data and the footprint of that data dispersed over the network. The newly merged organization needs to know where that confidential data exists and how it is being protected. From that assessment, the organization can then standardize its practices to protect that data. Healthcare organizations use the FairWarning PPI Platform to protect patient data stored in EHR, cloud, and big data as required by HIPAA.
During an M&A, healthcare organizations are exposed to increased security risk, as policies, procedures, technologies, and teams differ for each organization. Taking a proactive approach to M&A security both before, during, and after a merger will create information security and IT continuity, and will allow organizations to streamline security operations and keep organizational data secure.