Risk of Data Breach Doubles Just Before and After a Merger
The risk of a cybersecurity incident is twice the average during a merger or acquisition. Healthcare organizations should increase diligence during this period.
- Much of the risk is related to merging data systems.
- Security should be strengthened long before the deal is signed.
- Media attention to the deal can make the hospitals targets for hacking.
Mergers and acquisitions are common in the healthcare industry and carry many challenges for risk managers and compliance officers. One risk is data security. Research indicates the risk of a data breach doubles before and after a merger.1
During a two-year window before and after consolidation, the probability of data breaches more than doubled, according to research by Nan Clement, a PhD candidate in the University of Texas at Dallas Department of Economics. The probability of a data breach for merging hospitals during the two-year window was 6%, compared with a 3% probability for other hospitals. Her research is unpublished but was honored at a recent professional conference.1
Risk of Merging Information
Much of the post-merger risk is related to merging the information systems of the two entities, Clement says. Even if one hospital migrates to the system of the other, there can be configuration problems, different cloud services, incompatibility with some medical devices, and other issues.
Minimizing the risk must begin long before the deal is signed. “It’s the motivation of every party that matters a lot. Your boss may be less or more motivated to work with you and work on their IT, and as a buyer, your ability may be limited,” Clement says. “Also, as a buyer, you may know how to deal with this kind of problem because you have a CEO who’s a risk manager and really experienced with this issue, or you don’t.”
Understanding the merger makes the hospital prime targets for hacking is important, Clement says. The news that one hospital is buying another signals to hackers that if there is enough money to do that, there probably is enough money to pay a ransom.
Clement’s research also indicates there were more episodes of hacking and insider misconduct when a hospital merger or acquisition was announced. She studied data from Google Trends and found the media announcement of a merger or acquisition prompted an increase in searches for a hospital’s name and increases in hacking activity.
Awareness of the increased risk during this period could spur hospitals and health systems to invest more in cybersecurity and risk management.
“There are people in this industry who realize that the cyber cost is just going up so crazily each and every year, since probably 2018. The markets, the people in private equity — they seek relatively short-term profit, and they know that if you can manage that risk well, it’s actually a really big competitive advantage,” Clement says. “Some people realize that and put in more effort and hire more risk management people, take it seriously, and they’re ahead of the game. If somebody can deal with this, it means there is hope and they’re not going to just wait and pay the ransom.”
- Clement N. M&A effect on data breaches in hospitals: 2010-2022. Sept. 7, 2023.
- Nan Clement, Department of Economics, University of Texas at Dallas. Email: [email protected].
Mergers and acquisitions are common in the healthcare industry and carry many challenges for risk managers and compliance officers. One risk is data security. Research indicates the risk of a data breach doubles before and after a merger.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.