M&A Cyber Security
in the Healthcare Sector
Healthcare Cyber Security
What Criminals Want
Medical data
Personal data
User credentials
The healthcare industry walks a tightrope.
Econometric analysis has shown that hospital mergers yield a 2.5% reduction in
operating costs per admission.1 Achieving this full benefit, however, requires
industry leaders to balance cyber security along with all of the other moving
parts. The healthcare industry has been found to have the highest consumer
churn rate after a data breach, with organizations losing an average of 6.7% of
customers.2
When it comes to juggling security and operational concerns, healthcare has
the dubious distinction of being the industry with the most balls in the air. It
maintains sensitive data in almost every major category: personal data, medical
records, payment information, proprietary and trade secret data. It balances
onsite and remote workers, a laundry list of third-party business associates, a
varied IT network that in many cases still uses old operating systems, a growing
prevalence of Internet-of-Things (IoT) devices, and robust regulatory
requirements. To top it all off, people are literally dying, and analysis has
shown how easy it is for healthcare workers to throw security out the window
when they feel that it competes with urgent patient care.
Each organization is different, but recent years have provided enough data to
draw some overarching conclusions, and highlight the major pathways to
success for healthcare professionals considering M&A activities.
Analysis has found that 83% of cyber attacks against the healthcare industry are financially motivated.3 The
rest can span a variety of motivations, ranging from espionage, to carrying out a grudge, to “just for fun.”
Criminals have a selection of targets when seeking a financial payout. The most prevalent data affected
includes:
As you have probably heard, a selection of medical data is more lucrative in dark web markets than other
types of stolen data, and with good reason. The data does not change; one does not simply cancel and
reissue a stolen SSN the way they do a credit card number. The opportunities for misuse are also rather
varied. The information contained could enable everything from tax fraud and identity theft to fraudulently
obtained medical care and prescription drugs.
For this reason, “user credentials” is effectively listed both among what criminals want, and how they get it
(“privilege misuse”). Obtaining the user credentials of a trusted insider is a means to an end, giving the
criminal a pathway to ongoing data theft. The average time to detect an attack in the healthcare industry has
been measured at 255 days,2 which is far more than enough time to patiently make the most out of any
successful attack.
1 Noether, M., and May, S. (2017). Hospital Merger Benefits: Views from Hospital Leaders and Econometric Analysis. Charles River Associates.
2 2018 Ponemon Institute Cost of a Data Breach Study
3 2019 Verizon Data Breach Investigation Report
© 2019 Secure Merger. All Rights Reserved. www.SecureMerger.com
How Criminals Get It
Miscellaneous errors
Privilege misuse
Web applications
The leading temptation for a criminal targeting almost every industry is financial.3 The differences tend to
arise in how prevalent the secondary motivation (usually espionage) is. The overwhelming majority of
espionage attacks come from nation-state actors. Of course, much of this is an indirect route to the same
end: money. Espionage may yield a payout by bolstering one company’s competitive advantage or eroding
another’s, or by selling the information to a buyer whose use will have that effect. But in these cases, the
parties who stand to benefit financially fill a rather specific niche.
The more direct route to financial gain involves stealing information that can be sold to a generic buyer
(medical records, personal data, payment card information) or taking the money straight from the victim with
ransomware attacks or business email compromise.
The three most common patterns of attack within the healthcare industry3 include:
“Miscellaneous errors” is a broad term that includes everything from misconfiguring servers and web
applications to leaving unencrypted laptops in vehicles. Providing credentials to criminals through phishing
emails, and clicking links and opening attachments to install ransomware, are common user errors as well. No
matter the action, it generally boils down to employee training.
As mentioned earlier, the healthcare industry is hamstrung by the sobering reality of people dying if the
correct actions are not taken consistently and urgently. With this in mind, it is perhaps not surprising that a
broad healthcare security study conducted in 2015 found that, due to the urgency of patient care,
“workarounds to cyber security are the norm, rather than the exception.”4
For any cyber attack which is enabled by human victims (as most are), criminals can maximize their chance of
success if they:
1) Appear not only legitimate, but authoritative
2) Create a sense of urgency
3) Camouflage with all of the other legitimate, authoritative, and urgent tasks
4 Koppel, R., Smith, S., Blythe, J., and Kothari, V. (2015). Workarounds to Computer Access in Healthcare Organizations: You Want my Password or a Dead
Patient? Studies in Health Technology and Informatics. 208: 215-220.
© 2019 Secure Merger. All Rights Reserved. www.SecureMerger.com
As such a vast quantity of individuals possesses access to sensitive healthcare data, a criminal need only to be
patient and persistent, and inevitably somebody will fall for their trap. The most lucrative trap to set has
lately proven to be ransomware payments. Indeed, ransomware was found to have comprised over 70% of
malware in the healthcare industry in 2018.3
When ransomware began to really take hold a few years ago, it was strictly a volume business. Criminals’
common strategy was to demand small amounts of money, to increase the likelihood that the victim would
simply pay up and put the issue behind them.
Victims’ willingness to pay led to incremental price increases. The evolution of ransomware as a business
(with full-service attack packages for sale on the dark web) lowered the barrier to entry and led to a greater
variety, to include variants which target larger networks rather than individual users. As a result, the most
recent figures show that the annual cost due to ransomware grew by 21% from 2017 to 2018 alone.5
A more mature ransomware industry also led to an explosion of targeted attacks against businesses,
municipalities, and especially healthcare organizations. Of these three, a healthcare organization often stands
to lose the most to a successful ransomware attack. Not only does it carry the operational and client losses
felt in any industry, but patient treatment may also be jeopardized. Criminals love this aspect of attacking
healthcare organizations, because it makes them more likely to pay hefty ransoms.
Finally, complex healthcare IT networks have been further complicated in recent years by a class of devices
which are becoming so prevalent that the phrase Internet of Medical Things (IoMT) has been coined. These
devices, which monitor and communicate sensitive data and influence medical decisions, are often
(erroneously) configured to be internet-facing. Thus, technological advances in this arena expand the
organization’s attack surface. Medical professionals see a new world of technology-driven healthcare tools,
while cyber attackers see a new world of default manufacturer passwords and unpatched software.
5 2019 Accenture Cost of Cybercrime Study
© 2019 Secure Merger. All Rights Reserved.
The impact of IoT devices in the healthcare industry cannot be overstated. Even mechanical failures have
consequences; a California hospital lost its electronic health record system for a week when its HVAC units
burned out. The hacking of internet-connected HVAC controls (which were the entry point for Target’s 40
million record mega-breach) have found their way to the healthcare industry as well. A Texas hospital
admitted its HVAC controls were maliciously accessed by a hacker, which could have altered settings,
rendered lab specimens unusable, and placed patient safety at risk.
No industry is immune to the threat. Ongoing threat intelligence indicates that Russian state-sponsored
hackers are deliberately targeting IoT devices, in order to pivot to more lucrative network data.
Cyber attackers
see a new world of
default passwords
and unpatched
software
Medical
professionals see a
new world of
technology-driven
healthcare tools
www.SecureMerger.com
Whether merging with, acquiring, or being acquired by another organization, or simply reorganizing, any
organization in transition is particularly vulnerable to its cyber pitfalls. The difficulties of getting frontline
employees to maintain security vigilance are compounded when those employees are juggling not only the
complex day-to-day tasks of patient care, but also learning new processes and reporting structures.
Consumer loyalty within the healthcare industry is relatively low. As noted above, healthcare has the highest
rate of consumer loss after a data breach. Additionally, the difficulty and cost of investigating a cyber attack,
recovering systems, notifying victims, meeting legal and regulatory requirements, and absorbing the negative
brand impact leads healthcare to have the greatest average cost per breached record ($408), almost double
the next highest industry.2 The reality of these consequences has the potential to jeopardize much of the
business case benefit that prompted an M&A activity in the first place.
Joining two diverse organizations, each with their own plethora of business
associates, provides a ripe opportunity for a criminal to exploit the confusion
and either impersonate a legitimate business associate, or attack the business
associate themselves. Managing this aspect of M&A is critical because third
-party involvement has been found to be the factor with the single greatest
impact on increasing the per capita cost of a data breach.2
Healthcare has the
greatest average
cost per breached
record ($408),
almost double the
next highest
industry
© 2019 Secure Merger. All Rights Reserved.
How Organizations In Transition
Are Especially Vulnerable
www.SecureMerger.com
What To Do About It The strategy to successfully navigate this minefield during M&A is twofold:
Operating models are often described in terms of people, process, and technology. Cyber success in M&A
can be described in the same terms. First, the people aspect has been the recurring theme throughout this
paper. After installing a basic security infrastructure, a heavy emphasis on training effectiveness is the most
impactful way to prevent data breaches. Healthcare organizations often confuse HIPAA compliance with
holistic organizational security, and so they do not poke holes in their defenses to find the weak spots.
Frequent, continually evolving training on phishing and social engineering are must-haves for a sound
healthcare organization.
Regarding processes, it was mentioned earlier that the single greatest contributor to data breach cost
increases is third-party involvement. Its converse, the single greatest cost reducer, is an effective incident
response team.2 While the question of whether all cyber attacks are preventable may be open for debate,
preventing all cyber attacks simply costs too much money for an organization to continue operating.
Therefore, acknowledging the inevitability of some cyber attack, the maintenance of a current, well-resourced,
and periodically tested incident response plan is the hallmark of a mature organization. Tabletop breach
response exercises can reveal gaps in thinking before real-world events do.
Finally, organizations must not neglect the basic blocking and tackling of technology concerns. This includes
maintaining current, segmented backups, patching software vulnerabilities, and after an M&A transaction, not
joining vulnerabilities to a larger network. The two steps listed at the beginning of this section are the keys to
success on this topic.
Investigate where the land mines are before the transaction (Due Diligence)
Use that information to deliberately craft the route (Integration Plan)
© 2019 Secure Merger. All Rights Reserved. www.SecureMerger.com
If you’re getting ready to sell, be proactive.
If you’re getting ready to buy, ask questions.