Written by Ryan Freeman-Jones, Senior Manager and West Coast Office Lead, Meditology Services

Healthcare mergers and acquisitions (M&A) have quickly become one of the largest components of global M&A activity over the past several years. Several factors have contributed to this trend. Increased healthcare delivery costs coupled with decreased federal and state funding, advances and efficiencies in healthcare IT, and wider adoption of Accountable Care Organizations (ACO) models comprise some of the most prominent factors for the uptick M&A activity in healthcare. While the trend is overall positive for the industry, the mergers themselves can create headaches for the information security and IT functions due to increased complexity and added vulnerabilities.

As healthcare M&A activities continue, it’s increasingly important for organizations to have a strategy in place to bring new entities into the fold. This strategy should include the following key activities:

1. Assessment and identification of risks
2. Integration and remediation planning
3. Integration and remediation execution

Assessing risk (first 60 days)

Organizations with a pending or recently closed acquisition should perform an assessment on the new entity using the following analytical tools:

• Penetration testing and ethical hacking should be conducted to uncover any technical vulnerabilities.
• A gap analysis against an industry security framework like the HITRUST CSF should be conducted to identify areas of non-compliance and organizational vulnerabilities.
• A review of existing security tools and solutions present should be documented.
• A communications and governance strategy for the integration should be developed.

Organizations should base their gap assessments on an information security framework like the HITRUST CSF as it encompasses the HIPAA and HITECH regulations as well as the NIST CSF. Collectively, these security frameworks represent healthcare industries best-practices and those required by regulators. Additionally, the HITRUST CSF security controls can be selected based on the size and complexity of the organization.

For organizations conducting due diligence before an acquisition or merger, the decision to assess gaps based on standards allows the parent organization to mandate remediation and reinforce the requested corrective action with an industry recognized set of security controls. Quite simply, using the industry standard frameworks to perform risk assessments makes the due diligence process more efficient and all-encompassing.

Integration and remediation planning (60 to 180 days)

A first step to integrating the two merged entities is to develop a strategy to combine and consolidate security activities, procedures and technologies. The goal of the newly integrated security plan is to ensure consistency across the organization. The integration plan should include the following components:

• Communication of governance plans between the two companies
• Remediation tasks to close vulnerabilities identified in the gap analysis
• Directives regarding current security projects in place at the time of the merger
• Updates to security policies to create a unified policy set for the merged organization
• Regulatory reporting and documentation action plan to ensure deadlines are met

Once again, leveraging the HITRUST framework can facilitate the action steps and initiatives above. Many of the HITRUST-mandated controls provide structure and rigor to the planning and implementation of this important work.

Integration and remediation execution (180 days and beyond)

Once the planning has been completed, it’s now time to begin the execution of the integration strategy. It is critical that these activities take place while continuing to operate effective security and compliance programs throughout the organization. Managing security and compliance is a moving target and requires diligence across a wide variety of inputs and controls.

As the legacy and new organizations begin to coalesce into one unit, the continued benefits from adoption of the HITRUST CSF or similar controls framework will become more apparent. The organization can be assured that remediation projects will meld the two separate information security functions together.

Resources can now be allocated based on strengths across one security function instead of being stretched between two. The most effective tools and controls can be selected and licensed. The next set of policies can be operationalized and implemented.

Important program processes, such as access control reviews, will become baked into standard processes and be less prone to being forgotten under the burden of operating in what has become a more complex business environment as a result from the integration.

As with any security program, the completion of the integration does not spell an end to the work. Continuous improvement driven by process refinement, periodic updates to the selected framework or new M&A activity will keep projects on the docket, but a framework will be in place to plan and execute these inevitable changes.