Private equity investments in the healthcare industry have been increasing dramatically. In the past three years alone, private equity deal values in the healthcare sector totaled $102B globally. Furthermore, the healthcare industry accounted for 18 percent of private equity deals in 2017, the highest percentage ever for the industry.
There is strong private equity interest in the hospital sector as well as physician services platforms, with subsectors like home health and hospice, behavioral health and outpatient services being prime targets. Private equity interest in healthcare IT also remains high, particularly for companies that help to increase revenue and collections, reduce costs, enhance collaboration among caregivers, improve clinical care delivery and engage patients.
As investors increasingly move into the healthcare industry, they need to consider the unique risks associated with protecting patient data and the potential impact of cybersecurity attacks on their healthcare investments as part of the due diligence process.
Why Focus on Cybersecurity in the Healthcare M&A Due Diligence Process?
The high value of healthcare records is increasingly drawing the focus of cyber criminals. While credit cards can be quickly cancelled and replaced, there is no straightforward contingency plan for healthcare records once they have been breached. As a result, a medical record can be worth more than ten times as much as a credit card number on the black market.
Healthcare organizations remain vulnerable because many do not have sufficient cybersecurity resources, processes or detection measures in place. According to a 2018 report by the Ponemon Institute, breaches in healthcare typically go undetected for an average of 196 days. Not surprisingly, SecurityScorecard recently ranked healthcare 15th out of 17 major industries for cybersecurity preparedness.
Cyber attacks on healthcare organizations are surging in frequency, scope and sophistication, leading to a record number of data breaches. According to HHS, the healthcare sector reported over 400 major breaches from 2017 to 2018. In the third quarter alone, more than 4.4 million patient records were compromised in 117 health data breaches, according to the latest Protenus Breach Barometer. As evidenced by the biggest healthcare breaches of 2018, attacks can come in various forms and can impact any type of healthcare organization, from hospitals to surgery centers, pharmacies, labs and hospice providers, as well as HCIT, medical device and RCM vendors.
The Consequences of a Cybersecurity Breach
Cybersecurity breaches in healthcare can lead to severe consequences. If the Office for Civil Rights (OCR) determines the breach is attributable to non-compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), OCR can impose fines and penalties. Anthem, Inc. made news recently when they agreed to pay OCR $16 million in a record settlement after the largest health data breach in history. The breach was the result of a cyber attack.
Healthcare cybersecurity breaches are also drawing the attention of the media, leading to an increase in patient awareness. So not only can organizations face fines and penalties, they can also suffer reputational damage, impacting future revenue. According to statistics studied by the FBI, 70% of people surveyed said they would not go to a hospital after a reported breach.
Hospitals are also increasingly outsourcing services to third parties, such as revenue cycle management, analytics and healthcare IT, which is also shifting more risk to these vendors. As a result, these “business associates” are subject to the same privacy and security requirements as their covered entity counterparts. A solid HIPAA compliance and cybersecurity program can provide a competitive opportunity, whereas a breach can result in a rapid loss of customers and a potential nightmare for investors.
Because of the scope of the consequences of a cybersecurity attack, it is critical for healthcare stakeholders to elevate cybersecurity as a core strategy that is integrated into the daily operations and risk management programs of the enterprise. Proper alignment of budget, information technology and human capital resources are critical to developing a secure organization. With private equity becoming a major stakeholder in the industry, investors have the opportunity to play an active leadership role on this issue. Investors also have a fiduciary responsibility to do so in order to protect their investments.
Clearwater’s Cyber Risk Due Diligence Program
Healthcare is a complex industry for investors, with heightened legal and regulatory considerations relative to other industries. The added layer of cyber risk makes healthcare investing particularly challenging. The push/pull of data access versus data security in the healthcare setting, the increasing prevalence of connected medical devices throughout the care setting, and the dynamically changing technology environment are just a few of the reasons that private equity investors need to consider cyber risk assessments as part of their overall due diligence strategy. Given this complexity, it is important for private equity investors to find a partner with deep experience in healthcare privacy and cybersecurity in order to conduct proper due diligence.
Clearwater has been a trusted adviser to large health systems, multi-site physician practices, payers and business associates for HIPAA Compliance and Cybersecurity solutions for nearly a decade. We have established ourselves as experts in the field, which is why we were rated Best in KLAS for Cybersecurity Advisory Services in 2018 and why over 400 organizations, including Trinity Health, CHRISTUS, Medtronic, Uber and Costco, have relied on us to build and mature cybersecurity programs for their organizations. Clearwater offers the deep expertise in healthcare cybersecurity that private equity investors need.
Clearwater recently announced the launch of a new service offering specifically designed for M&A Due Diligence. Clearwater’s Cyber Risk M&A Due Diligence Assessment offers a streamlined review of existing policies and procedures, governance programs, organizational structure and practices to provide an indication of areas of excess risk before an investment is made. Clearwater’s Assessment also identifies the actions and steps that should be taken post-closing to mature the organization to an appropriate level of risk.
HIPAA compliance and cyber risk due diligence require in-depth experience and disciplined analysis, and plays an important role in the overall due diligence process. Clearwater’s assessments are structured to complement private equity investors’ existing due diligence program and can be performed on short time lines and with minimum disruption to the target.
- Broad tactical assessment of all key HIPAA requirements and cybersecurity processes
- An efficient, detailed risk assessment to identify any “show stoppers” or critical areas of risk
- Performed by healthcare security and compliance experts
- ‘Off the Shelf’ program, completed in as few as 30 days
- Investment Committee-ready Findings, Observation & Recommendations report
- Provides actionable steps for improvement and provides basis for post-closing plan of action
- Optionally, Clearwater can be engaged to resolve any high-risk gaps or finding
Standard diligence protocols aren’t sufficient to properly assess a weak and immature HIPAA compliance and cyber risk management posture. Trust Clearwater to help ensure you are properly assessing the fastest evolving risk in healthcare to avoid any pitfalls in your investment strategy.
Learn more about Clearwater and the Company’s Cyber Risk & HIPAA Compliance Due Diligence Assessment for healthcare organizations.