The mergers and acquisition market is heating up in healthcare, both in the number and size of deals. As of late September 2017, there had been at least 561 hospital mergers since 2010, and four of the biggest last year involved entities with revenue of more than $1 billion. As the healthcare landscape continues to transform, M&A is likely to become a common occurrence and a ubiquitous strategy for smaller organizations.
As these provider organizations increasingly pursue buyout offers, they must begin thinking about their actual value to a larger company. When two companies merge, their strengths and weaknesses get married. If those weaknesses are too large or too unpredictable, the marriage often falls apart.
The due diligence process to determine those weaknesses is already exhaustive. But now that cyber crime has risen to the top of the threat landscape, evaluators are making it a prime focus. If a potential acquisition has weak security measures, a lax security culture or a demonstrated history of security failures, it’s now considered a significant liability.
This is a concern across all industries, but because healthcare deals with so much sensitive data, it’s a particularly urgent issue. Any sort of data breach would expose the parent company to HIPAA fines, lawsuits and a tarnished reputation. Therefore, cybersecurity issues may singlehandedly predict the success or failure of a merger.
Defending against everything from aggressive hackers to accidental data breaches is already a challenge, but by all indications it will get worse. This may not slow down the pace of M&A in healthcare, but it will certainly sink some deals.
The Office for Civil Rights recorded about 350 healthcare entities that had fallen victim to a breach in 2017, and those numbers likely will be eclipsed in 2018 for two reasons.
First, smaller healthcare entities have limited resources to dedicate to cybersecurity. It’s unrealistic for a small doctor’s office to hire full-time cybersecurity staff. Even the investment in basic protections is minimal because so many entities operate on tight profit margins. With so many competing budget demands, cybersecurity gets pushed to the bottom of the list.
Consequently, and second, this turns healthcare targets into low-hanging fruit for hackers. Unfortunately, that fruit is very valuable. Medical information is some of the most lucrative stolen data because it can be exploited in many ways and sticks with a person for life. Profit-driven hackers know this and go looking to steal it specifically. And because cybersecurity is often lacking, they encounter little resistance along the way.
Healthcare companies must acknowledge this liability if they hope to attract buyers. The looming threat of a future attack is just as damaging as the lingering effects of a previous one. Until the gaps in a security strategy are closed, a company will look like a risk instead of an asset.
Small and mid-sized healthcare organizations may have minimal cybersecurity budgets, but that doesn’t mean they can’t be effective. A number of sound security strategies cost little or nothing. By focusing resources in the right areas, it’s possible to defend against a majority of attacks. And by taking a targeted approach, it’s possible to demonstrate security savvy to potential buyers. Start with these steps.
Make employees an asset. Human error is a major contributor to data breaches. Educating employees about the risk and training them how to spot and avoid red flags helps to minimize the threat. Informed employees can also identify scams and attacks that security technologies may miss.
Follow a cybersecurity policy. Adopting plans and protocols ensures that every decision or action follows cybersecurity best practices. That leads to stronger security overall while also helping offices respond quickly and effectively if an issue is detected.
Secure the weakest point. The email inbox is both a repository of sensitive data and an entry point into a network. That is why the vast majority of attacks are targeted at inboxes or the data traveling between them. A simple solution like email encryption ensures that even if data is stolen, it has no value in the hands of hackers.
Choose the cloud first. Cloud-based technologies can offer more security at a lower cost. Better still, they secure data with minimal need for input or oversight. This is ideal for smaller healthcare organizations that have limited resources to invest in cybersecurity.
Accept IT as a priority. Part of why cybersecurity has suffered in healthcare is that it has been seen as an IT issue rather than as a business priority. Now that the consequences of a breach cut so deep, it’s time to change that thinking. Once organizations see this issue as an existential threat, they can focus more resources where they’re actually needed.
The central mission of healthcare is to protect the patient. That means protecting the body from illness and injury. It also means protecting the patient from exposure and exploitation. Securing data is an ethical obligation, and for the companies of today and tomorrow, it’s also a business necessity.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access