Cybersecurity is not usually a top-of-mind item during a merger or acquisition, but experts say it should be. It doesn’t matter if you are a healthcare provider or a health IT company, there are real threats to data and system security as the organizations integrate together. Aggressively eliminating duplicate systems, for example, is highly recommended.
I recently had the opportunity to attend a panel at #HIMSS22, hosted by Fortinet and featured:
- Troy Ament, Chief Information Security Officer at Fortinet; and
- Justin Collier, Chief Healthcare Advisor at World Wide Technology
Mergers and Acquisitions (M&A)
According to Bain & Company, healthcare M&A volume was up 16% in 2021 and values rose by 44% after a drop in both metrics in 2020. Deal value totaled an impressive $440 billion in 2021, with “multiples at an all-time high”.
Most expect industry watchers expect more M&A activity in 2022 and 2023.
Ament and Collier spent time during the #HIMSS22 panel discussing cybersecurity during M&A. Ament pointed to the “integration” phase (the time after the deal is signed when the organizations involved in an M&A work to integrate their operations) as a critical time for cybersecurity.
“Be very aggressive with integration after an acquisition. Eliminate duplicate systems, streamline and coordinate security processes. Don’t leave your orgs vulnerable during this important time” Troy Ament @Fortinet #HIMSS22 #cybersecurity #digitalhealth
— Colin Hung (@Colin_Hung) March 17, 2022
Having been through several M&A’s, I can tell you first-hand that there is a tendency to leave existing systems in place if they are working and to focus on higher-cost items first, like duplicate personnel and redundant vendors/suppliers. Duplicate computer systems fall lower on the priority list.
The problem with this, as Ament suggests, is that without proper attention, existing systems tend to be ignored during integration which means they aren’t patched or updated. This of course, makes the newly merged organizations more vulnerable to cyberattacks.
Collier went further and recommended extra vigilance when one of the parties to an M&A is a startup.
“Be vigilant during the acquisition phase…especially when one of the parties is a startup. Usually #cybersecurity comes 2ndary to growth. You don’t want bad actors to impact the M&A” @JustinCollierMD @Fortinet #HIMSS22 #digitalhealth
— Colin Hung (@Colin_Hung) March 17, 2022
During the due diligence phase of M&A a lot of sensitive documents and proprietary materials are shared. It is important to exchange this information securely so that it does not end up accidentally in the public domain or vulnerable to those engaged in corporate espionage (not something that only happens in Hollywood movies).
Cybersecurity Talent
The panel also addressed the challenge of finding and keeping cybersecurity talent in healthcare. Collier stressed the importance of helping employees keep their skills up to date.
Continuous upskilling of #CyberSecurtiy staff is vital to keep them AND helps them to be more effective for your org. – @JustinCollierMD @wwt_inc @Fortinet #HIMSS22 #hitsm pic.twitter.com/RTp6O84yzj
— Colin Hung (@Colin_Hung) March 17, 2022
Although this may slightly increase the risk of an employee leaving (more likely due to pay, stress, or incompatibility with a manager), the benefits to your organization and the goodwill generated outweigh the risk.
Ament had a creative way to attract new talent.
Want to hire #cybersecurity talent? Hold a pizza lunch & learn at a local college or university. “No college kid is going to turn down a free lunch…and they will remember you for doing that.” Troy Ament sharing a ‘growth hack’ @Fortinet #HIMSS22 #HITsm #digitalhealth
— Colin Hung (@Colin_Hung) March 17, 2022
Ament also had sage advice to everyone in healthcare – to not cut corners when doing background checks on cybersecurity hires, despite the hyper-competitive market.
Troy Ament cautioning healthcare & pharma orgs not to cut corners on background checks for new hires – even though the talent market is tight. @Fortinet #HIMSS22 #cybersecurity #HITsm pic.twitter.com/xSvTQprR0g
— Colin Hung (@Colin_Hung) March 17, 2022
Payers Have a Role
The most interesting comment from the panel was the suggestion that payers have a role to play in cybersecurity when it comes to remote patient monitoring and other home-based devices. Both Collier and Ament felt that payers could use their influence to ensure only devices that are well secured are approved for coverage.
Not every RPM or home monitoring device is created equal, but if individual payers factored in cybersecurity – they could reduce the attack/privacy threats to their members – a win-win.
Payers have a role to play in #cybersecurity as well. They can set acceptable standards for RPM and other home-based devices that THEY KNOW are secure and meet minimum standards. Would you fund an insulin pump that could easily be hacked? @Fortinet #HIMSS22 #HITsm
— Colin Hung (@Colin_Hung) March 17, 2022
Other Great Advice
Collier and Ament shared a number of great recommendations with the audience, including:
The threat surface in healthcare is growing exponentially with the number of connected devices – not just within the 4 walls of the organization, but now in patient homes – Troy Ament @Fortinet #IoMT #HIMSS22 #digitalhealth
— Colin Hung (@Colin_Hung) March 17, 2022
“The more you can use automation, the safer you will be. Machines can scan faster and identify threats faster than a human being can. Leverage tech so that you people can focus on other threats” @JustinCollierMD @wwt_inc @Fortinet #HIMSS22 #cybersecurity #HITsm
— Colin Hung (@Colin_Hung) March 17, 2022
An important factor in #cybersecurity is to use root-cause analysis not as an excuse for finger-pointing but truly for learning and improving – via @JustinCollierMD @wwt_inc @Fortinet #HIMSS22 #HITsm
— Colin Hung (@Colin_Hung) March 17, 2022
Fortinet is a supporter of Healthcare IT Today
To learn more about Fortinet, visit their website: https://www.fortinet.com/
To learn more about World Wide Technology, visit their website: https://www.wwt.com/