When one thinks of mergers and acquisitions (M&A) in the healthcare sector, common risks that come to mind might include overpayment or synergies that fail to materialize. However, if cybersecurity risks are not properly assessed during the M&A due diligence process, what seems like a dream deal can quickly be transformed into a nightmare scenario.

Considering that the average number of days for detecting and containing a data breach is 277 days, an intruder hacking into a company on New Year’s Day wouldn’t be identified and eliminated until just before Halloween. That number of days, known as dwell time, is an incredibly long period, could mean that an intruder who gained access before an M&A transaction is initiated may not come to light until long after a deal has been signed. Raising the stakes is the average price tag of a data breach in the healthcare sector, which is over $10 million dollars when hard costs and loss of business is factored into the equation.

A cybersecurity risk that the healthcare M&A process poses is heightened concern over the compromise of sensitive health information. When healthcare organizations are combined, it includes the joining of respective technology systems, complete with their respective cybersecurity vulnerabilities. As organizations grow, there comes the reality that an exponentially larger data breach could occur, impacting data shared across the entire organization. An example of this risk involved a ransomware attack on a Chicago-based hospital chain CommonSpirit, which was the result of a series of mergers, including Catholic Health Initiatives, Dignity Health, and Virginia Mason Franciscan Health. Prior to the M&A activity, the attack would have been limited to a few hundred thousand patients, but because of data being shared across the entire chain, the incident is believed to have impacted millions of patients from the scores of hospitals operating in more than 20 states. As M&A activity results in the creation of massive healthcare systems, it is imperative that incoming entities do not introduce a weak link in the cybersecurity chain.

The best way to avoid the cybersecurity pitfalls related to M&A is to consider conducting a focused cybersecurity and technology assessment of the target’s environment during the due diligence process so that any risks can be identified and a plan and costs to address them can be established. Depending on the results of the assessment, it may be determined that there are significant risks, and that more aggressive evaluation and remediation procedures are required. For example, a detailed assessment of compliance efforts may be executed to ensure there are no significant gaps in the meeting of HIPAA or other regulatory requirements. Armed with an understanding of the target’s cybersecurity and technology risks, the acquirer can then factor in the associated costs when calculating an offer.

Citrin Cooperman can evaluate a healthcare target using our proprietary risk assessment tool called the SCORE Report, which identifies and ranks any risks, explains why they are a risk from both a business and IT perspective, and provides recommended solutions and estimated resources needed to mitigate or eliminate these risks. Should any advanced technology or cybersecurity risks be uncovered, Citrin Cooperman has a deep bench of experts to mitigate them strategically and efficiently.

The cost of taking a proactive approach to assess and address cybersecurity risks is significantly less expensive than taking a reactive one and will help avoid any regrets related to surprises identified after the transaction has been completed.

For more information on evaluating technology or cybersecurity risks during the M&A process, reach out to our Healthcare Transactions professionals or contact Kevin Ricci at kricci@citrincooperman.com.