We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

How Health Care Companies Can Reduce the Risk of Cyber-Attack During Mergers and Acquisitions

Posted by Holly Meidl December 16, 2015

These days, M&A is as common an acronym in health care as IV, ER, or MD. In the third quarter of 2015 alone there were 33 transactions involving hospitals worth an estimated $2.1 billion, according to PwC’s US Health Services Deal Insights. And while mergers and acquisitions provide ample opportunities, they also make the companies involved particularly ripe targets of cyber criminals who are on the prowl for a wealth of private health information (PHI) and financial data.

Given the host of data and systems that need to be combined during an M&A transaction, cyber hackers can find ample opportunities to attack. In fact, more than four out of five health care executives say that their organizations have been compromised by at least one malware, cyber-attack, or other cyber incident during the past two years, according to the 2015 KPMG Healthcare Cybersecurity Survey.

From an operational standpoint, protecting your data security and privacy when acquiring a company should be as high on your agenda as maintaining quality patient care. The following six steps should help enhance your own cybersecurity and that of your acquiring entity:   

  1. Evaluate the acquiring entity’s data controls. First, ensure your organization’s patient health and financial data is secure. Then determine the security controls the new company may have in place. And then see how the two systems can mesh together.
  2. Monitor shared system data. Even before a deal, shared system data can leave you vulnerable to a cyber incident. When coordinating services requires the sharing  of patient information among different providers or subsidiaries, each point of exchange creates the potential for a data breach.
  3. Check the security of electronic portals. Online health care portals are becoming more popular with patients. Access for physicians, staff, patients, third parties, and first-time users must all be reviewed. The entity being acquired may have looser controls than you require.
  4. Evaluate IT health care vendor involvement. Be aware of the recurring access that IT health care developers may have to your system or the company you are buying — including any subcontractors that transmit PHI.
  5. Know the acquiring company’s claims submission process.  Criminals are known to target health care entities to fraudulently obtain medical services and to defraud the government and other payors. Being knowledgeable about a company’s claims submissions process can reduce fraud.
  6. Be aware of how the merger or acquisition will affect employees. Not securing data before M&A announcements can leave you vulnerable and lead to lawsuits from employees.

By taking these measures, you and your deal partner will be better protected from cyber threats and staving off cyber losses will be easier. And you’ll be better positioned with insurance underwriters as you compete with your peers for their capacity.

Holly  Meidl