There is a lengthy list of considerations for hospitals to address in mergers and acquisitions. Not only do hospitals and health systems have to blend two previously distinct organizational cultures and processes into one, they have to determine the best course of action for the IT systems, which can present significant risk for the acquiring hospital.
Mac McMillan, current chair of the HIMSS Privacy and Security Policy Task Force, says the "compliance posture" of the organization being acquired if not similar in maturity can be a liability for the acquiring hospital. "Oftentimes organizations that are being acquired are not up-to-date with their compliance posture or privacy and security controls, and so the minute you acquire them, they represent a liability to you."
And since many times the hospital being acquired is a smaller organization, they often are not on par with the larger organization in terms of technology or its corresponding security, Mr. McMillan says, which presents another risk when the larger organization moves to connect the newly acquired entity to its network. Again, the acquiring organization absorbs the risk associated with the other entity.
"Sometimes organizations may be acquired because they're financially in need," Mr. McMillan says. "When you have an organization that is financially strapped, often times they haven't spent the money [on cybersecurity] or keeping the infrastructure or systems up to date because they haven't had the money to spend. This can lead to issues with interoperability as well as with security."
There are things hospitals can do early in the M&A process to understand the risk and bolster protection of patient data while integrating the two systems.
First, Mr. McMillan suggests hospitals conduct a security audit of the organization being acquired so the acquiring organization knows what to expect. "Know where the potential gaps are in the acquiring entity's programs, technical controls environment and quantify the risk. This will not only produce valuable information to support merger deliberations, but it will allow the acquiring party to put a plan in place early on in the merger process to address identified gaps," he says.
Secondly, the acquiring organization should evaluate the level of education and training the employees of the acquired organization have surrounding health IT and cybersecurity. "This can tell you whether or not you're dealing with a population that fully understands its responsibilities and gain an impression of the compliance culture," Mr. McMillan says. In doing so, the acquiring organization can address any training gaps identified, as well as ensure that all employees under the new M&A are on the same page in terms of privacy and security controls and know what will be expected of them.
More articles on cybersecurity:
Perspective: What's wrong with Obama's cybersecurity initiative
AHA working with FBI to share cybersecurity intelligence
5 cybersecurity trends in healthcare