Buying A Breach

Security Considerations When Acquiring a New Healthcare Organization

Now more than ever, healthcare acquisitions require a new level of security due diligence. Understanding the hidden risks and how to mitigate them can help avoid trouble down the road. The past few years have seen a significant rise in healthcare mergers and acquisition (M&A) activity. As fiscally sound providers continue to seize buying opportunities, it is crucial to fully evaluate the security health of the target organization – particularly as threats to this sector have increased significantly during the Covid-19 pandemic. 

Early into the Covid-19 crisis, many in-progress M&A deals were put on hold or cancelled, but that could be changing. In its Q2 2020 Hospitals and Health Systems M&A report, industry analysts Kaufman, Hall noted that “the need to address COVID-19’s impacts paused activity but did not change the underlying strategic rationale for many transactions; if anything, the pandemic may have strengthened the rationale for partnerships.” And with the pandemic driving hospital losses into the billions, selling may be the only option. Analysts at investment bank Juniper Advisory, wrote that “the pandemic is creating a buyer’s market in which stressed hospitals are forced to sell for much-needed cash infusions and other support to keep their doors open.” Increased M&A activity involving distressed assets means complex and high-risk security integrations, at a time when breaches are already exploding. In fact, healthcare was the most targeted industry in 2019, accounting for 382 breaches and costing over $2.45b.

While a breach is always costly for any organization, the diligence of HHS in investigating and fining offending organizations can be extremely costly, with settlements averaging nearly $1.8 million and total breach costs reaching $6.5 million. And these are just the hard costs of breach cleanup and fines – a 2019 Accenture study estimated that “each provider organization lost an average of $113 million of lifetime patient revenue for every data breach it suffered.” Since healthcare organizations often run at low margins, the acquisition of an organization that has an undetected breach could lead to cleanup costs, fines and lost revenue that are significantly higher than the anticipated profit from the acquisition, potentially meaning that the deal loses money over years.

Get the PDF of this paper delivered to your inbox.

Hospitals are ready-made for ransomware

Get this paper delivered to your inbox.