How Acquisitions can Bring IT Security Risks
When a hospital buys another hospital or physician practice, or a software vendor buys another vendor, how much thought about securing protected health information goes into the consolidation process before that process is complete?
When a hospital buys another hospital or physician practice, or a software vendor buys another vendor, how much thought about securing protected health information goes into the consolidation process before that process is complete?
Often, not enough, says Munzoor Shaikh, a senior manager at West Monroe Partners, a Chicago-based business and technology consulting firm. As part of its services, West Monroe examines the information infrastructure maturity and security, and conducts HIPAA/HITECH assessments for the organization being acquired. But there often are issues that the company being bought hasnt tackled--and that the company buying it needs to know.
Shaikh and colleagues have found instances where visitors are being signed into a facility without first receiving a badge or card access, or a visitor should have an escort but one is not required. When Shaikh enters these facilities, he often is not asked to sign in. Id like to make the distinction that we do not break protocol, but we notice that protocol is often not required of us but rather insisted by us. Thats how we know we could have gotten away with breaking protocol without actual breaking it.
Data conversions during a merger also often carry unnecessary security risks. For starters, all data at rest should be encrypted not only to protect against external threats but internal ones as well, and often times, data is not encrypted before conversions.
Protected health information in a data warehouse may not be encrypted, and at times contractors are granted inappropriate access to such unprotected PHI.
During conversion, an internal or contracted software developer may be practicing script writing using real data that is not encrypted before the actual conversion begins, Shaikh notes. But no one should be writing a program in a test environment using real data.
The information system to which data is being migrated also needs these same protections. The source data may be encrypted, but the system in which it is being imported may not be encrypted. People often ignore these little details, he says. But pull down the covers on an M&A situation, and youll find them.
When a provider or vendor buys another, they also are buying the services of the acquired companys HIPAA privacy and security officers. But both organizations likely have significant holes in their HIPAA process and when merged, the risk will carry over to the new entity and there can be confusion over who the new privacy and security officers are. We see this a lot in clinics, Shaikh says.
Heres another scenario that brings unnecessary risk. Clinic A has a privacy and a security officer, but neither is very active, and Clinic B doesnt have either officer. So the merged entity--Clinic C--does not have privacy and security officers with proper HIPAA training.
A lack of HIPAA knowledge and awareness is common among privacy and security officers, particularly in practices, Shaikh says. Lots of privacy and security officers are self-taught and the law itself is somewhat vague, so they are still learning a lot about HIPAA/HITECH and implications to their business.
There are more security considerations that often are not considered until a merger closes and should be handled before the ink is dry. These include standard processes for logging security incidents and notifying relevant parties if a beach incident occurs.
The bottom line is that too often, the new entity following a merger or acquisition is in a precarious information security condition and no one knows it, Shaikh cautions. You want to know before you move in the house exactly what is in the house. But there is a lack of adequate security awareness, along with just so many other items on the table during a merger, that security often doesnt rise to the level it should, he adds.
Often, not enough, says Munzoor Shaikh, a senior manager at West Monroe Partners, a Chicago-based business and technology consulting firm. As part of its services, West Monroe examines the information infrastructure maturity and security, and conducts HIPAA/HITECH assessments for the organization being acquired. But there often are issues that the company being bought hasnt tackled--and that the company buying it needs to know.
Shaikh and colleagues have found instances where visitors are being signed into a facility without first receiving a badge or card access, or a visitor should have an escort but one is not required. When Shaikh enters these facilities, he often is not asked to sign in. Id like to make the distinction that we do not break protocol, but we notice that protocol is often not required of us but rather insisted by us. Thats how we know we could have gotten away with breaking protocol without actual breaking it.
Data conversions during a merger also often carry unnecessary security risks. For starters, all data at rest should be encrypted not only to protect against external threats but internal ones as well, and often times, data is not encrypted before conversions.
Protected health information in a data warehouse may not be encrypted, and at times contractors are granted inappropriate access to such unprotected PHI.
During conversion, an internal or contracted software developer may be practicing script writing using real data that is not encrypted before the actual conversion begins, Shaikh notes. But no one should be writing a program in a test environment using real data.
The information system to which data is being migrated also needs these same protections. The source data may be encrypted, but the system in which it is being imported may not be encrypted. People often ignore these little details, he says. But pull down the covers on an M&A situation, and youll find them.
When a provider or vendor buys another, they also are buying the services of the acquired companys HIPAA privacy and security officers. But both organizations likely have significant holes in their HIPAA process and when merged, the risk will carry over to the new entity and there can be confusion over who the new privacy and security officers are. We see this a lot in clinics, Shaikh says.
Heres another scenario that brings unnecessary risk. Clinic A has a privacy and a security officer, but neither is very active, and Clinic B doesnt have either officer. So the merged entity--Clinic C--does not have privacy and security officers with proper HIPAA training.
A lack of HIPAA knowledge and awareness is common among privacy and security officers, particularly in practices, Shaikh says. Lots of privacy and security officers are self-taught and the law itself is somewhat vague, so they are still learning a lot about HIPAA/HITECH and implications to their business.
There are more security considerations that often are not considered until a merger closes and should be handled before the ink is dry. These include standard processes for logging security incidents and notifying relevant parties if a beach incident occurs.
The bottom line is that too often, the new entity following a merger or acquisition is in a precarious information security condition and no one knows it, Shaikh cautions. You want to know before you move in the house exactly what is in the house. But there is a lack of adequate security awareness, along with just so many other items on the table during a merger, that security often doesnt rise to the level it should, he adds.
More for you
Loading data for hdm_tax_topic #better-outcomes...