IT’s Guide to Dealing With Data During a Healthcare Merger
It’s 2016: Verizon Communications encounters some major static in the purchase of Yahoo! Inc as it discovers another whopping data breach of over one billion accounts. As a result, Verizon knocks 7%, or $350 million, from its original offer. Zoom forward three years: Bristol-Myers’ agrees to buy Celgene at 16 times the price of Yahoo! While difficult to think about for a multitude of reasons, imagine what kind of gargantuan discount a Celgene data breach could have spawned.
Mergers can be complex, but precautionary measures — such as a security risk assessment (SRA) — can be an essential part of a healthcare organization’s arsenal as they address the many data concerns that can arise during a merger. This guide will take you through many merger-related data issues and what your organization can do to meet them head-on.
Do They Have a Clean Bill of Health?
“You must know who you’re joining forces with,” is the merger mantra of Darin Brannan, the Chief Executive Officer and Co-Founder at ClearDATA. His reaction to notoriety-tarnishing security breaches is concise: “You want a clean company. With a breach, it’s difficult to measure the exact cost because one of the biggest factors is the reputational risk — a tough thing to put a number on.”
The damage to your brand is hard to get back and one study found that some of the world’s top brands lose nearly $223 billion from consumers not engaging with the brand after a breach. And reputation-restoring efforts are thwarted by a hungry news cycle that can continue years beyond the headlines of the initial breach. There are the public solicitations for victims affected by the breach, coverage of the twists and turns of what is often a lengthy trial, and finally the details of the settlement. Many believe that companies like Equifax will find it very difficult to rehabilitate their name, and even then, it could take at least a decade.
Fortunately, the heightened infamy of breaches is having a positive ripple effect. During due diligence or other acquisition activities, assessing security, privacy, and compliance policies and procedures are taking on expanded importance. Most potential acquirers will unequivocally demand the acquiree’s recent third-party audits and the gaps associated with them. They will then ask to see the action plan, often called a risk register, on what they’re doing to get their house in order. It’s a good place to start as both companies work together to remediate any of the problems that were found in diligence. In essence, this is driving organizations to invest in becoming a clean company, as it relates to protecting their sensitive data.
The Dangerous Security Openings of a Merger
During a healthcare merger, issues often arise around data security and data accessibility. Chris Bowen, Chief Information Security Offiver and Founder at ClearDATA, offers some specifics. “Frequently we have seen organizations that do not follow a least privilege policy — leaving too many people and titles with access to sensitive data, often even ex-employees. Organizational leaders need to be asking themselves hard questions about what systems and individuals need access to sensitive data” he noted.
There is also another major data security concern that is very common during mergers—a lack of efficient patch management at both the infrastructure and application level (think vulnerability scanning). Keeping up with important security patches in complex organizations has its challenges, and companies have procedures in place to make sure new patches are up to snuff. Part of that challenge is that these updates are frequent, require extra work, and are often unscheduled change management, and not just of your own data center or public cloud infrastructure. Many healthcare applications, built by healthcare IT organizations, run within the providers’ network and, in turn, their data center. This results in designated maintenance windows that can affect the customer, patient, and practitioner.
It is the frequency and routine of patch management that make it one of the top security threats — its commonplace nature masks its critical nature!
It’s worth repeating that big data meltdowns are often ignited by small mistakes. For example, an organization, as well as many others, used a web application that had a known vulnerability. The fix for that security hole was available for months, but the company failed to update its software. That’s all it took. It was as if a Vandal horde was pounding on the gates of Rome probing for a weakness. And then they found it. Social Security numbers, birth dates, and home addresses exposed. 143 million customer files compromised. The company’s future is imperiled. One has to wonder how many Equifax data breach cataclysms it will take for organizations to understand the absolute necessity of patching across all aspects of the environment.
FYI: IT’s M&A Concerns
You can learn a lot about a company during the due diligence process, particularly with regard to data management. The acquiree’s data policies, compliance, PHI inventories, and beyond should all be covered. In fact, the purchasing organization should strive to attain a sixth sense about any data issues prior to signing the merger agreement. If there are problems, you must understand their size and shape, and just as importantly, the costs to remediate them. A strong disclosure schedule will protect against post-closing allegations if the acquiree has breached its representations. Conversely, a false or incomplete disclosure schedule could result in a violation of the merger agreement and potentially significant liability to the acquiree, as well as the end of the merger.
The Merger Team: Not Just Team Players, But the Right Players
One of the best ways to remove frustration from the M&A process is to create a strong cross-functional merger team.
Many consider it to be the greatest data policy evaluation tool for any healthcare organization merger. For the team to be truly multi-dimensional, it must have a security representative, a regulatory representative, and a legal representative at its core. But it means more than just putting together the best people—these people also need to be willing to work together. A PwC survey found that companies that have a strong integration team and involve them early on experience 40% more favorable results. Flexibility is key. Often, two companies merging means that IT staff on both sides will need to adapt their data practices.
Representatives from both sides of the aisle must go in and look at the policies and processes from top to bottom. A sampling of the questions that need to be asked are: “Is the acquiree really following through on what needs to be remediated?” “Do the systems have disaster recovery plans in place?” “What are the issues regarding legacy systems?” Cooperation and communication will go a long way to make sure you’re getting the answers to all the critical questions.
Another key consideration to keep in mind: no one outranks a merger. Make sure your merger team has a key master — someone who can help the team gain access to the people and places they need to get their questions answered. The team must have enough clout to bring issues to the executive level quickly. Prompt communication can be vital for a fruitful merger.
Tips for Tipping the Merger Scale in Your Favor
Combine the Data — Unlock the Possibilities
Mergers, acquisitions, and partnerships are resculpting the healthcare landscape, but
a newly merged organization will not realize the full potential of its union until it can tap into the power of its combined data.
Here are a few category-specific healthcare merger tips for side-stepping the data integration roadblocks that commonly arise:
- Compliance. Make sure you have a good list of compliance standards that the acquiree follows, list of third-party auditors (internal audits are meaningless here), gap analysis report, and all plans for remediating the gaps (with owners and dates). Ask for how often they perform tabletop exercises or test their policies and procedures around compliance, and for a report of the historic results.
- Interoperability. Secure a list of all systems that have sensitive data (PHI/PII). How do they talk to each other as it relates to identity and access management and other permissions? How are these systems updated and how do these systems securely talk to each other (VPN, encryption, direct technology, etc.) as it relates to interoperability? Are all systems compliant with their software and hardware maintenance?
- Data mapping. Get a list of ICD-10 compliant applications and data versus one that is not yet ICD-10 compliant, as well as the plan for remediation. Who has access to the data? How can onboarding and offboarding of data access (least privileged access control) work? Not just in policy but also in practice. Better yet, ask to see it in practice, including logs around the data access.
- PHI inventories. Obtain a copy of their last SRA. Then evaluate the PHI Inventory in the security risk assessment and what systems contain the PHI (infrastructure included). Then build a risk profile of at-risk systems, both on the security/compliance side, and the infrastructure end.
Security Risk Assessments: Ensuring a More Mellow Merger
Third-party cloud providers bring both experience and perspective to a security risk assessment, as many perform hundreds throughout the healthcare sector each year. This deep dive into security controls, security defects, and vulnerabilities across all healthcare segments gives them a unique view into common gaps and how to overcome them. In addition, this more thorough analysis goes into a level of detail beyond the standard security risk assessment checklist. As far as its top benefits, a security risk assessment can:
- Help ensure the acquiree is compliant with HIPAA’s administrative, physical, and technical safeguards
- Uncover hotspots where that organization’s PHI could be at risk
- Root out any detailed vulnerabilities and remediation recommendations
In addition to the acquiree’s security risk assessment, a third-party assessment of the purchasing organization will provide you with an unbiased analysis of your current compliance and security status.
The cost of failing to administer a security risk assessment, or having it performed by a party with little or no experience scrutinizing sensitive health data, could mean failing to remediate risks. That combination of counterfeit competency and an increasingly invasive and punitive political and regulatory environment can make you and your balance sheets see red. Often lack of a risk assessment under the HIPAA Security Rule is often deemed as “Willful Neglect” and can include hefty fines, civil and criminal litigation, restitution, and damage to institutional and professional reputations — fallout that would bring most any merger to a screeching halt.
Is the Acquiree Certified by HITRUST?
HITRUST certification ensures that an organization will be able to leverage the latest public cloud technologies in a secure environment, with best practices and policies in place. It gives the purchaser a lot more confidence that the right things are being done. As one of the very few universally accepted foundations for analyzing whether you’re a compliant organization, HITRUST gives the parties involved the assurances that key considerations have been thought through. For example, a provider of pharmacy, telepsychiatry, and medication management services made HITRUST one of the key drivers for choosing what smaller companies it would acquire. It was very concerned about the quality of the data they were intaking and used HITRUST standards as their highwater mark. They applied the same criteria to their cloud services partner.
Earning the HITRUST certification requires an incredible amount of work, focus, and dedication. Not only in qualifying for the initial certification, but also following up on it, and keeping it up to date. If you’re in the middle of a merger and those certifications are missing—for either party—you’d have to expect that there will potentially be massive holes in the compliance and regulatory systems. On the plus side, often insurers see having HITRUST and other highly regarded certifications as a very big positive. They’ll factor these certifications in when analyzing the risk associated with the two merging companies. It’s almost like taking a defensive driving course and getting a discount on your auto insurance.
What the Right Third-party Can Bring to the Table
In the larger scheme of things, healthcare organizations, even the giants, don’t need to be a jack-of-all-trades when it comes to their larger mission. It takes an entire team completely focused on compliance to be effective. Rather, larger enterprises — as big as they are — should stay focused on the essential products and services the world needs. Not peripheral pursuits. Not compliance and security.
The key is to find a partner whose mission is the optimal complement to your own. One that is healthcare exclusive with compliance, interoperability, data mapping, PHI inventories, and related data management acumen as their core competencies—their mission in life. If a cloud services provider really understands the needs of healthcare organizations, the acquirer will have great confidence that experts have been involved with the public cloud and HIPAA compliance and security. And if they truly are healthcare industry authorities, they’ve been vetted by HITRUST. Once again, their mission harmonizes with your mission.
Then there’s the matter of neutrality. If there’s uncertainty about which merger party will have ownership of protecting and managing the data, an independent cloud services provider can offer the advantage of objectivity. Since it is a third party, no careers are at stake if they discover a negative finding. In addition, a best-in-class cloud provider will have the experience and services to efficiently gather data from multiple parties and systems.
In the end, you’ll receive a much more thorough and robust analysis of your systems.
When it comes to interoperability issues during a merger, the ability to ingest data in a common format — like FHIR, for example — is key. A cloud provider can often offer secure (encrypted) repositories for both storing, as well as moving data into new systems post-merger. Some cloud providers can also offer reference architectures and consulting to help transform the data into a cloud-ready format that is able to be ingested across applications in a standard fashion.
When it comes to evaluating sensitive data, merging healthcare entities can benefit greatly from the guidance of a third party. And while a go-between’s objectivity plays an important role in a merger, it is a third party’s industry-specific experience that is the crucial determining factor for success. Only after years of helping other organizations successfully navigate healthcare’s murky merger waters can a third party amass the battle-hardened experience to ask the “have you thought about this” and “what if that” questions that can help resolve healthcare’s distinct merger complexities. And it’s only through asking the right questions that a path can be cleared to put two merging organizations in the trajectory of their true potential.