Healthcare systems and providers have been seeking ways to increase efficiency and productivity while embracing value-based care models and enabling patient empowerment. Efforts to make these goals a reality have manifested in two ways: the adoption of new tools and technology and through mergers and acquisitions.
Healthcare providers have been leveraging new applications and connected medical devices to remotely monitor patients progress. Using apps allows patients more access to their own health information and to their physicians to ask questions. This gives patients more power over their treatments and increases efficiency.
In addition to the use of technology, the healthcare space has seen a drastic increase in merger and acquisition (M&A) activity over the last ten years. In fact, there were 261 healthcare M&A deals in Q3 of 2018 alone. While there has been a decline in this activity in 2019 so far, this does not signify the end of healthcare M&As - more likely, it is a pause to evaluate the success of acquisitions over the past several years and develop more strategic ways to integrate systems. M&As better equip healthcare systems to practice economies of scale, reducing capital strain and enabling flexibility around value-based care models.
While these two trends have worked in tandem to the benefit of patients and providers, increased technology and heightened M&A activity can be a dangerous combination when it comes to healthcare cybersecurity.
Cybersecurity Risks of Healthcare Mergers and Acquisitions
Ideally, when two healthcare practices join or are acquired, the due diligence process would include a comprehensive analysis of the security infrastructure that exists in each practice’s network, data prioritization and segmentation, and a complete inventory of each device connected to the network prior to finalization of the merger or acquisition. This would provide healthcare CISOs and security teams with the base information necessary to determine where vulnerabilities may exist and how far the new combined network has to go before it can be considered secure.
However, security is often an overlooked component when it comes to health M&As. Health systems are acquiring facilities at a rapid pace to expand their business models and establish footprints in more communities. Rather than being proactive when it comes to security, CISOs are often alerted to the acquisition or merger after the fact, with the expectation that security issues will be resolved within a few weeks or months – a challenge where complex, distributed network infrastructures are concerned. Furthermore, this reactive process means that the cost of network security updates is not factored into the acquisition costs or overall budget calculations – straining security resources.
As Ken Puffer, Healthcare CTO at ePlus, states:
“During the acquisition process, changes to technology are considered and may be a part of the budget, but not always the security aspects of it. However, as soon as that agreement goes into effect, the parent organization becomes responsible for the subordinate organization’s security posture. There is no time to respond in many cases. From there, security teams have to begin to map out what it's going to take to bring that organization under the parent organization’s security umbrella - very quickly. They must act fast to ensure any identified risks are immediately mitigated, and create a strategy to address the long-term security position of the subordinate organization.”
With limited time and budget, security teams often have no visibility into what exists within each network, leaving patient data, intellectual property, and more exposed to cybercriminals.
Achieving Visibility with Network Access Controls
In the event of a health acquisition or merger, CISOs should work through three key steps, ideally during due diligence or quickly after the agreement, explains Sonia Arista, National Healthcare Lead at Fortinet.
- Attain an up to date risk assessment: “This will offer insight into existing policies, procedures, and the overall governance structure.”
- Conduct a network assessment: “Crawl the network for vulnerabilities and get an understanding of the operating systems deployed in the network and the data stores.”
- Implement network access control (NAC) tools: “Implementing a NAC gives visibility into your actual assets and where they sit within the network.”
NAC is a core component for addressing access control and adherence to policy when helping reduce the attack surface. In addition, with the right people and processes in place, deploying network access controls provides visibility into every device on the network, who it belongs to, and the level of risk associated with it. This instant visibility is essential to identifying and minimizing risk on such a tight timeline.
Specifically, NACs offer immense value in four key areas of healthcare M&A:
- Understanding Inherited Risk: Deploying a NAC offers visibility into all of your assets, context into who owns those assets, how they should be used, and their level of security. With so many connected medical devices, patient and employee mobile devices, and more connecting to the network, the NAC tells CISOs where new risks exist due to the joining of two networks. This is crucial, because as the IoT becomes more engrained in medicine, physicians are increasingly working with vendors to purchase new tools without necessarily going through IT and security teams. Sonia Arista notes:
“Without running a NAC, you're dependent on whatever data you have from an asset management standpoint which is often broken. For large health organizations, vendors are going to doctors to buy new digital-based medical devices. So, CISOs typically don't know what's being purchased and integrated until they are asked to open up ports in the network to allow for data transfer.”
- Minimize Third-Party Vulnerabilities: In a similar vein, NACs offer visibility into which vendors have access to the network, allowing CISOs to minimize third-party risk. There is a myriad of third-party vendors that have authorized access to health networks, and that growth over time begins to dilute your visibility into your security posture. If a vendor device is not secure, it can be used as an entryway. NAC minimizes this risk by showing which third-party devices are connected and the quality of security that exists on those devices, allowing for visibility at the device layer.
- Added Protections for High-Availability Departments: Another way NACs help to secure healthcare networks while minimizing downtime is through network stratification for high availability departments. For example, the radiology department or emergency room at a hospital will generally operate seven days a week – these are key departments for patient care and revenue generation.
However, the dermatology department may operate on a more regular five day a week, nine to five schedule. NACs help to categorize devices by these departments and behaviors. For instance, noting that a certain tablet belongs in the dermatology department. If that tablet then connects to the network during hours that department does not operate, it is isolated from the network until it is determined to be secure.
Furthermore, if critical service lines, such as the ER or radiology, are running any legacy systems, NAC helps to segment these older and more vulnerable systems from the broader network. This ensures that should the tool be exploited, it will not halt operations in the department altogether.
- Secure Telemedicine and IoMT Trends: Another area where NACs demonstrate value in modern networks is in enabling and securing the devices required for telemedicine, a trend that is continuing to grow in popularity. Many health systems are setting up telemedicine services in states with wide population distribution into remote areas. NAC ensures that when patient owned devices, specifically those that have not gone through standard procurement channels, access medical networks, they are categorized and segmented appropriately. This reduces chances that a vulnerability in one of these devices can result in a breach.
Healthcare merger and acquisition activity has been on the rise just as technology has begun to play a larger role in patient care. The combination of these two trends has opened health networks up to increased risk, reducing visibility into what is operating within the network. With a modern network access control solution, healthcare CISOs can regain this visibility – enabling them to prioritize and secure multiple healthcare networks in limited amounts of time.