Addressing Security Gaps and Risks Post-M&A in HealthcareNuHarbor Security's Jack Danahy on Mistakes to Avoid Post-Merger & Acquisition
In the aftermath of mergers and acquisitions among healthcare entities - and the resulting IT integration and cost-cutting moves - gaps in technology and skills and other gaps often put organizations at higher risk for attacks and other security incidents, said Jack Danahy of NuHarbor Security.
In recent months, several healthcare organizations - including CommonSpirit and Prospect Medical Holdings - have grown substantially through mergers and acquisitions. Both have been victims of high-profile ransomware attacks that disrupted IT systems and patient care delivery in many of their facilities (see: Mergers and Acquisitions in Healthcare: The Security Risks).
"Most of the problems in cybersecurity happen at those connected points, in those gaps, and that's really where the challenges arise," Danahy said. "So even if each one of those organizations was secure in its own administration of its cybersecurity - and even if the acquiring organization had great security - you start putting these things together and suddenly you have to reimagine what cybersecurity means."
That's because cybersecurity systems do not exist in a vacuum, he said. "They tend to be tightly intermeshed with other parts of the IT infrastructure, and so there may be unpredictable effects."
In this interview with Information Security Media Group (see audio link below photo), Danahy also discussed:
- The various gaps created in the aftermath of mergers and acquisitions that add security risk;
- How to avoid common cybersecurity mistakes during and after a merger or acquisition;
- The risk created by technical debt in healthcare.
Danahy leads the research and development of NuHarbor Security's security service platform. He is also a managing partner at Almanna Cyber Fund, an early-stage cybersecurity investment firm. Prior to joining NuHarbor, Danahy founded three security software companies that were subsequently acquired by Watchguard Technologies, IBM and Alert Logic.
This transcript has been edited and refined for clarity.
Marianne McGee: I'm Marianne Kolbasuk McGee, executive editor at Information Security Media Group. Today, I'm speaking with Jack Danahy, who is vice president of strategy and innovation at NuHarbor Security. Prior to joining NuHarbor, Jack founded three security software companies that were acquired by WatchGuard Technologies, IBM and Alert Logic. We're going to be discussing the added security risks that healthcare organizations sometimes face in the aftermath of mergers and acquisitions. So Jack, last fall, CommonSpirit, a hospital chain that's grown substantially through a number of mergers and acquisitions, experienced a ransomware attack that affected some of its hospitals in various regions of the U.S. for weeks. Most recently, Prospect Medical Holdings, which was purchased by a private equity firm about a decade ago and has also grown from five hospitals in California to 17 hospitals across several states, also suffered a ransomware attack that forced many of its healthcare facilities to take IT systems offline, disrupting patient care services. So with that said, based on what you see, Jack, are there any common factors that do seem to come into play for organizations that have grown through M&As in addition to all the other security risks that all entities face?
Jack Danahy: I appreciate you taking the time to talk about it because I think it's an important topic for us to review, as cybersecurity so often is thought about being largely the domain of those endpoint organizations. In this case, it is a hospital or a healthcare facility in a certain region. But what is happening in these moves through the acquisition and aggregation of healthcare centers together is that it changes the natural reliance upon one another, the natural interconnectivity that happens, it changes the nature of cybersecurity. And I think that an important lesson that we're going to have to come to grips with is for all the benefits that exists for the combination of like functions, and the sharing of expertise, equipment and knowledge and all of those things in these larger combinations, there also is a cybersecurity impact. Which is that there now are more pieces that are touching one another. And having been doing cybersecurity for the last 30 years, I can promise you that most of the problems in cybersecurity happened at those connected points in those gaps. And that's where the challenges arise. So even if each one of those organizations was secure in and of its own administration of its cybersecurity, and even if the acquiring organization had great security, you start putting these things together and suddenly have to reimagine what cybersecurity means, if you're going to eliminate the type of gap-led cybersecurity issue that opens up the opportunity for some of these more widespread attacks to first get in, but then spread so virally.
McGee: So when you start looking at the potential gaps, what things do you see?
Danahy: Well, if you think about the fact that a lot of these organizations are now going to trust one another in a way that they didn't in the past. So if I look specifically at the merge, we'll just say two healthcare systems merging with one another - there are five hospitals here, five hospitals there. They traditionally didn't talk to one another very much. But if the organization that brings them together recognizes the efficiencies, and there are efficiencies in combining things such as IT acquisition or IT management - or sometimes cybersecurity. You start saying, okay, well, then I can simply think of one structure that will bring them together, it'll achieve cost savings so more can be spent on delivering quality healthcare to people. And I'm not going to worry so much about these overlapping IT systems. The problem is that a lot of those systems were purposefully implemented and configured so as to describe an ecosystem, which was just those original-type hospitals on either side of that acquisition. And when I put them together, there isn't that process necessarily to say, what does this mean now? I can no longer run them as though I'm just taking two organizations and putting them together because they each have their own organizations outside that partnership that they deal with. They each have their own communities of trust and individuals that they trust. So if an individual in the initial part of the organization finds themselves corrupted; suddenly, it's much more likely that I can see a viral spread of that corruption into this other organization because it's largely unprotected because it thought it was coming into an equally secured bowl. And specifically, if I think about the technology changes that can happen as a result of improving efficiencies in these acquisitions, I can think of having to change over what is the technology that supports the acquiring entity. And so the individuals there who were experienced, responsible and had configured the existing systems, they're not going to necessarily have the same familiarity. And so they may not be as experienced or as competent as the organization that's doing the acquisition may expect them to be. And so that creates another gap, a skills gap in terms of the way it gets connected. And the last piece of this, and I think it's a realistic concern. Healthcare is very complicated business. There are very tight margins, as people figure out the best way to offer the best care they can. Sometimes cost cutting can cause individual elements of a cybersecurity program to either be combined or eliminated, because they may appear redundant or less effective than the ones that exist in the acquiring entity. Unfortunately, cybersecurity systems tend not to live in a vacuum. They tend to be tightly intermeshed with other parts of the IT infrastructure. And so there may be unpredictable effects - gaps created by changing or eliminating systems that may appear to be redundant. So there's a whole bunch of information that has to go into a thoughtful process during that acquisition to make sure that those organizations stay as secure as they were.
McGee: So Jack, when it comes to the IT cost reductions and other expenses that are often looked at after a merger or an acquisition, and then also the IT integration that takes place in the aftermath of an M&A, are organizations not sufficiently vetting the impact of these cost-cutting measures and IT integration and the impact that it has on cyber? And how do organizations avoid some of the mistakes that happen? What mistakes do you often see in that area?
Danahy: The most common mistake that we see in these kinds of events is that there was a misunderstanding about the complexity of the challenge that was in front of people. Historically, cybersecurity vendors in the cybersecurity marketplace have been very difficult for folks to understand. There isn't a month that goes by that somebody doesn't issue report on the shortfall in cybersecurity talent. So even just establishing an organization with sufficient resources and diligence to have good security architecture and good security program is hard. Expecting that same team now to take on X new entities, new challenges, and new facilities and simply bring them in, it is as complicated as all the hard work that went into securing that first organization in the first place. So I think the first mistake that gets made is there is not necessarily an appreciation for how hard it will be to maintain security in that organization that's being brought in. The second mistake, I think that gets made is that people don't understand just how remarkably complicated healthcare is from a cybersecurity perspective. If I think about the number of systems that are inherent in delivery of healthcare, it's like everything else together. You have got private information about individuals that is their most treasured - their healthcare, illnesses, remedies, all are super private. At the same time, these are very complicated financial organizations who have to think about multiple insurers and multiple providers, and the mesh to make sure that everyone gets paid. And on top of that, the federal systems and the insurance system that mandate specific styles of reporting, so extra complicated from a financial and reporting perspective. Now we start thinking about the devices that are involved. Instruments that are used for imaging and instruments that are used for getting patient telemetry, some of these have been around for years - if not decades - and are running on older platforms, and exist inside a relatively fragile environment that has to be maintained in a very specific way to keep them secure. And the last bit of this is, they are so broad. The average hospital will have practitioners, doctors, nurses and technicians who are providing services, and they're coming from all over the place. Sometimes they're visiting; sometimes their full-time employees. Sometimes they're coming in with a patient who has a specific concern. And so just managing identity and access control is also hard. So when you think about plugging these two organizations together, I don't think that anyone would be super surprised to find that if I take two banking systems and put them together, it's going to be hard. And my guess is, there will probably be hundreds or thousands of people thinking about how to make sure that works because people to intuitively say like, oh, finance got to be careful. Healthcare is more complicated; healthcare has more kinds of people; healthcare ecosystem is typically a less-advanced, more legacy-style environment. And so putting this together, I think it's harder than some people will expect it to be. So one of the mistakes is, as people are envisioning these acquisitions and all the benefits that combination can bring, they may not be thinking about the cybersecurity challenges that will arise to keep them stable and resilient over the course of time - post-acquisition and integration.
McGee: And Jack, what about technical debt? In hospital systems, the haves and the have-nots come together, how does that come into play?
Danahy: It's a great question. And I read some of the work you had done before, and some of the work that's gone on Capitol Hill to try to help people to recognize the need to better invest and better understand specifically rural healthcare, which is a big deal, in my mind, as well, because of the challenges of that delivery. A lot of this technology is not new. And as technologists, we always think about technical debt, as I haven't moved up to the most recent platform, I haven't started using the cloud, or I'm not using AI to help enhance service delivery. We're talking technical debt about a system that provides critical care that's based on an operating system that was built 10 or 15 years ago. It's out of support. That the service, remembering that healthcare organizations exist to help people, cure them and provide them with healthcare, they're not concerned with the shiniest new form of things. Because so much of their business is the talented, committed professionals who deliver it, the tech that supports them is second place. If the hospital board is given a choice, you can have another super talented doctor or another super talented nurse or you can upgrade these systems that monitor people's heartbeats on the floor, what are you going to take? Well, the ones that we have work well, then I'm going to save more lives and do more good for my community by bringing on that new talented resource that's a human, and I'm going to spend money on that. And so technical, it is big. But it is big in a context. Where there's a lot of big challenges and a lot of service delivery challenges, some of the most important of which are the caring hands and feet that will deliver the services. So it's hard to point the finger and say, you should have invested more in tech, when they're probably spending their money investing in the doctors and nurses and care for all of us.
McGee: So Jack, with all that said, is there one piece of top advice that you would offer to healthcare entities that are undergoing or contemplating a merger or an acquisition in terms of staying ahead and being aware of some of the top issues that you were just discussing?
Danahy: I would recommend that organizations who are thinking about performing these financial transactions gather the efficiencies and do a better job and reap the financial rewards as well, of course. But bringing these things together to recognize how fundamentally they're going to change the landscape of the resilience of the firms that they're acquiring. And in fact, the firms that they already own. If you look at this attack that we're talking about from last week that was an attack that started more administratively, and suddenly permeated way to all these healthcare facilities, who then are knocked offline. And they could no longer be delivering the quality of care that they wanted to. As those organizations were being brought together someone should be having the checklist the same way. I am absolutely certain. They are making sure that all the financial audit characteristics are clean. Do we understand how much we spend for this and that? Do we understand where our commitments and our contracts are? Do we understand our liabilities for certain types of risks? They should take an equally thoughtful approach to understanding what it will mean to maintain a secure infrastructure for these organizations to live within, so that you don't see what we've seen happen a couple of times, which is a single failing because of the fact they were brought together without that thoughtful separation spreads rapidly, causes far more harm than most people would have expected, and completely changes the dynamics of whether the deal was a good idea in the first place.
McGee: Well, thank you very much, Jack. I've been speaking to Jack Danahy. Hi I'm Marianne Kolbasuk McGee of Information Security Media Group. Thanks for joining us.