Mergers and Acquisitions in Healthcare: The Security RisksAs Entities Consolidate, Cyber Scrutiny of Partners Is Critical
Decades of hospital consolidation have converted local community hospitals largely into anomalies. The building and the name may be the same, but the hospital most likely now belongs to a cost-conscious healthcare system serving a sprawling geography.
During the height of the novel coronavirus pandemic, mergers and acquisitions in the healthcare sector slumped, but they now appear to be slowly rebounding.
This ongoing wave of market concentration has well-known consequences: price increases, quality of care decreases and possible mismatches between the local populace's medical needs and the care that's available.
One mostly overlooked consequence of mergers is the potential for more breaches of patient data. Hospital mergers don't just bring together clinics. They also combine their underlying IT systems. How well-maintained and secure many of those systems are in the first place is variable. Joining them together creates a network whose weakest link has the potential to create a data breach incident whose effects are felt far beyond the local hospital's populace. Patients in one state may have their data exposed due to a hacking incident that originated in a hospital three states away.
This may be the case in a ransomware incident last fall involving Chicago-based Catholic hospital chain CommonSpirit, which is the product of a 2019 merger between Catholic Health Initiatives and Dignity Health. CommonSpirit again expanded in 2021 by acquiring Virginia Mason Franciscan Health in Washington state.
CommonSpirit told authorities the incident caused a data breach affecting more than half a million Washington patients, but effects of the ransomware attack appear to have been felt across the megasystem of 140 hospitals operating in 21 states.
Plaintiffs in proposed class action lawsuits filed against CommonSpirit allege the number of affected individuals could be in the tens of millions.
Affected hospitals include Des Moines, Iowa-based MercyOne, which was previously jointly owned by CommonSpirit and Michigan-based Trinity Health before being acquired by Trinity Health last year. At the time of the ransomware incident, MercyOne still used CommonSpirit IT systems, and the Iowa medical center's electronic health records access and other application functionality were unavailable for several weeks following the ransomware incident.
Incidents such as the CommonSpirit ransomware attack highlight the critical importance for entities to carefully assess and address potential IT security risks involving a potential merger or acquisition, experts say.
"We are seeing that well-established health systems or entities that have very mature cybersecurity programs take on an entity which is less secure," says John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.
The association advises hospital mergers to treat cyber risk with the same priority as financial analysis in a merger.
But determining and identifying the array of systems and myriad of devices used by another healthcare entity that's being acquired is not easy.
"When you buy an organization, you typically don't know everything you're buying," says Kathy Hughes, CISO of New York-based Northwell Health, which has 21 hospitals and over 550 outpatient facilities, many of which were acquired by the organization, which is the result of a 1997 merger between North Shore Health System and Long Island Jewish Medical Center.
The merger process prevents the two sides from asking too many questions about the other's cybersecurity posture, especially about risks involving third parties.
These days, any major healthcare provider relies on business associates and other vendors, and those relationships are closely held secrets, says Van Steel, leader of the healthcare information security practice at consulting firm LBMC Information Security.
Few individuals on the seller side are typically even aware that an M&A transaction is being explored, he says. "So it's not like we can just easily call up their IT manager or chief information security officer, and say, 'Tell me everything about your security structure and your vendor list and all your connections, methods and things like that,' because we're not supposed to even talk to them yet, because the deal is not done."
The buying healthcare organization can request evidence that the seller has conducted an internal risk assessment as required by the HIPAA rules. "A lot of times they haven't done that, but hopefully they have," Steel says.
It's up to the buying entity to "ask the same questions you'd ask a third-party vendor about their security controls, practices, understanding the inventory of systems used, any previous breaches, collecting that information," Hughes says.
After the merger, organizations should proceed slowly with integrating systems, she advises. "You may only want to open up the capability for the newly acquired organization to access email or the time and attendance system," she says.
"Over time, as you are able to remediate the systems up to your standards or migrate them to your existing enterprise platforms, that's when you would open up more and integrate more."
It seems certain that the momentum behind healthcare market consolidation has yet to sap. President Joe Biden in a 2021 executive order asked antitrust enforcers to crack down on hospital consolidation. The Federal Trade Commission has since blocked four hospital mergers - and let 54 proceed, finds an investigation by ProPublica.
One reason for that ratio is the focus the agency's antitrust guidelines put on mergers within a geographic region. Mergers of hospitals located in different geographies don't garner the same sort of scrutiny, and they make up an accelerating portion of hospital mergers. That is why the security of health data so often depends on the practices of hospitals patients may never set foot in.