Tim Treat recently covered in his blog the topic of M&A and security. Given the rate of consolidation in healthcare -- the year-to-date level of announced M&A activity in the healthcare sector is at its highest since Thomson Reuters began tracking such deals in 1980 -- I wanted to follow-up with a deeper dive on best practices for healthcare providers.
First, as investors and board members are starting to wake up to cyber risks, deal makers should also start to more systematically include cybersecurity as part of the due diligence process. Infosecurity recently discussed the results of a survey from an international law firm reporting that 82% of deal-makers believe that the risk of cyber-attacks will change deal processes over the next 18 months.
When you buy a company, you’re buying its data -- including its data security problems. For healthcare providers, this could include penalties for past failed compliance audits, theft of patient data including related and pending lawsuits, details of how past breaches or failed compliance audits have been handled, the good or bad reputation established by the acquired entity based on its privacy track record, and, in addition, any document (or lack of) describing how access to protected patient data is managed and maintained. Any of these could have direct impact on the value of the deal.
Whether you’re able to do this pre- or post- acquisition, the first step should be to deploy a Palo Alto Networks firewall on the perimeter of the acquired entity to get a first estimate of the type of traffic and assess the level of risk. One important point about our platform is that this does not have to be disruptive to day-to-day operations -- you can get better application visibility by simply adding our firewalls in tap mode.
Post-acquisition, you’ll want to consolidate around one set of systems and rationalize the now-shared application portfolio to realize some economy of scale. Here are some ways to safely proceed and not create any loopholes that would compromise highly regulated data:
These steps seem somewhat burdensome, but our purpose built platform will allow you to perform these tasks in an elegant manner. As a result, your team can create a controlled and deliberate schedule that is included as part of the M&A schedule. This will reduce risk and provide more granular knowledge and control to ensure business continuity without compromising security.
Acquisitions can be central to business growth. Security should not be an excuse to slow down the integration process. Even more importantly, explicitly communicate through every step what you discover and what you plan to do about it and report on an on-going basis to the CIO and CISO. If you cannot take the required steps to improve the state of your security, at a minimum you need to provide regular updates to executives on the level of risk and give them options on what can be done about it.
In addition, if you don’t currently have an open communication channel to executives then use the acquisition as an opportunity to create one. In today’s environments, you’ll discover that most executives will be receptive to a discussion about cyber security. As Kevin Magee recently noted, that’s something that’s changed a lot in the last 12 months.
Bottom line, one of the fantastic aspects of Palo Alto Networks is that our platform gives you an unmatched level of visibility into what’s on your network at all times, at a level that should be understandable by the executives. Without any disruption you can show the volume of malware brought by online videos or games used by employees on their computers, you can easily discover whether unwanted apps bypass you protection and even discover whether malware hides inside encrypted communications. Give it a try -- our technology supports business growth in new ways and you won’t be disappointed.