M&A in Healthcare: Maintaining Security Throughout the Integration Process

Tim Treat recently covered in his blog the topic of M&A and security. Given the rate of consolidation in healthcare -- the year-to-date level of announced M&A activity in the healthcare sector is at its highest since Thomson Reuters began tracking such deals in 1980 -- I wanted to follow-up with a deeper dive on best practices for healthcare providers.

First, as investors and board members are starting to wake up to cyber risks, deal makers should also start to more systematically include cybersecurity as part of the due diligence process. Infosecurity recently discussed the results of a survey from an international law firm reporting that 82% of deal-makers believe that the risk of cyber-attacks will change deal processes over the next 18 months.

When you buy a company, you’re buying its data -- including its data security problems. For healthcare providers, this could include penalties for past failed compliance audits, theft of patient data including related and pending lawsuits, details of how past breaches or failed compliance audits have been handled, the good or bad reputation established by the acquired entity based on its privacy track record, and, in addition, any document (or lack of) describing how access to protected patient data is managed and maintained. Any of these could have direct impact on the value of the deal.

Whether you’re able to do this pre- or post- acquisition, the first step should be to deploy a Palo Alto Networks firewall on the perimeter of the acquired entity to get a first estimate of the type of traffic and assess the level of risk. One important point about our platform is that this does not have to be disruptive to day-to-day operations -- you can get better application visibility by simply adding our firewalls in tap mode.

Post-acquisition, you’ll want to consolidate around one set of systems and rationalize the now-shared application portfolio to realize some economy of scale. Here are some ways to safely proceed and not create any loopholes that would compromise highly regulated data:

1. Prepare the environment by developing a good understanding of potential risks and security weaknesses at the acquired entity:
   • Using Palo Alto Networks, collect as much intelligence as possible about the health of the acquired entity’s security .
   • Gain visibility into all applications, users, content, sources and destinations of traffic especially at the perimeter and around critical systems.
   • Use this visibility to identify where security risks and challenges are the greatest. Flag which types of traffic or applications bring the highest volume of malware and triggered incidents in the past.
   • Pay special attention to any traffic marked as unknown. You will need to get to a point where there is no longer any unknown.

2. Confirm the level of compliance to internal rules and external regulations
   • This step is critical to maintain the level of security and compliance that you might have already established in your organization. You don’t want to dilute your posture and M&A is already a great time to suggest needed changes for any infrastructure.
   • Review any recent compliance audits whether passed or failed. This should indicate how much work is required to bring the organization on par with your level of compliance.

3. Clear the environment of threats
   • Eliminate applications that are absolutely not necessary. Through some iterations, block unwanted traffic that has nothing to do with the business of health services -- traffic from high-risk geographies you do not serve, traffic from consumer applications used by employees on the business network. The more you reduce the volume of communications on the network to those related to business, the smaller the opportunity for cybercriminals to get in.

4. Absorb the environment
   • Once you’re confident that you have enough visibility and control over the network of the acquired entity, safely merge applications and systems, bridging or merging directories, bringing over PACS systems, consolidating networks and access points for mobile devices as needed.

These steps seem somewhat burdensome, but our purpose built platform will allow you to perform these tasks in an elegant manner. As a result, your team can create a controlled and deliberate schedule that is included as part of the M&A schedule. This will reduce risk and provide more granular knowledge and control to ensure business continuity without compromising security.

Acquisitions can be central to business growth.  Security should not be an excuse to slow down the integration process. Even more importantly, explicitly communicate through every step what you discover and what you plan to do about it and report on an on-going basis to the CIO and CISO. If you cannot take the required steps to improve the state of your security, at a minimum you need to provide regular updates to executives on the level of risk and give them options on what can be done about it.

In addition, if you don’t currently have an open communication channel to executives then use the acquisition as an opportunity to create one. In today’s environments, you’ll discover that most executives will be receptive to a discussion about cyber security. As Kevin Magee recently noted, that’s something that’s changed a lot in the last 12 months.

Bottom line, one of the fantastic aspects of Palo Alto Networks is that our platform gives you an unmatched level of visibility into what’s on your network at all times, at a level that should be understandable by the executives. Without any disruption you can show the volume of malware brought by online videos or games used by employees on their computers, you can easily discover whether unwanted apps bypass you protection and even discover whether malware hides inside encrypted communications.  Give it a try -- our technology supports business growth in new ways and you won’t be disappointed.