After the CommonSpirit ransomware attack: Why healthcare mergers and acquisitions are a 'huge' cybersecurity risk

After the CommonSpirit ransomware attack: Why healthcare mergers and acquisitions are a ‘huge’ cybersecurity risk

This sound is generated automatically. Please let us know if you have feedback.

As CommonSpirit Health, which was formed through the merger of Dignity Health and Catholic Health Initutions in 2019, continues to deal with the fallout from the ransomware attack three weeks ago, security experts say these link-and-acquisitions make healthcare systems more vulnerable to security breaches.

Israel Barak, chief information security officer of Cybereason, a company that helps companies defend against attacks, said that healthcare mergers and acquisitions “create a huge risk” and “a huge opportunity for ransomware.”

Healthcare deals create a high-risk event of a cybersecurity attack due to regulations Barak added that the supply chain usually has a weaker supply chain.

Systems like CommonSpirit rely on an extensive network of service providers. Barak said the majority tend to be smaller organizations with a “very low level of sophistication” and they need to share a lot of data with each other.

Barak said: “This leads to a situation in which the threat that enters the network from one place can affect a very wide range of entities within that network.”

Companies being incorporated or acquired are mature targets because executives tend to focus on other priorities and may not be as vigilant, according to security experts.

“Anytime there is chaos or uncertainty, then attackers want to go in and launch their attacks,” said Aneeka Gupta, chief product officer at Rubrik, a data security company whose clients include some of the largest US companies.

The The FBI warned That ransomware attackers tend to target companies that are going through significant financial events, including mergers and acquisitions.

Analysts from Fitch Ratings said last week that CommonSpirit is in the midst of a massive debt issuance.

For entities of this size, consolidation does not happen on the same IT platform and systems with the press of a button.

“It usually takes years for a certain set of technologies to be integrated and/or aligned for IT teams,” said Ali Mellin, senior security and risk analyst at research and consulting firm Forrester.

Mellin said that while some CommonSpirit systems don’t show the same signs of an attack, they don’t necessarily indicate different practices.

“They could have made design decisions to keep them somewhat separate from the IT point of view” as a potential defensive measure, Millen said.

Due diligence must be done before signing the M&A transaction

Experts say the risk assessment must begin before two companies integrate. Before concluding a merger deal, companies need to apply the same critical lens to the cybersecurity risks of the deal as they do to other factors.

John Reggie, who advises the American Hospital Association on cyber security and risk, said: “Cyber ​​due diligence should be part of the analysis along with financial analysis, in terms of whether this creates a risk to the organization by undertaking mergers and acquisitions with an entity a certain”. He declined to comment directly on the incident at CommonSpirit Health.

Part of that work is also making sure the company doesn’t inherit an attack, which can be difficult because companies like to keep cards close to the chest before closing a deal, according to Cybereason’s Barak.

However, Barrack said the due diligence failures should serve as a warning, and the 2017 PayPal acquisition is a case study of what is not being done prior to the acquisition.

It bought digital payment company TIO, a Canadian payment processing company, for $238 million in 2017. A few months after the shutdown, PayPal announced it was suspending TIO operations after discovering a vulnerability that exposed the personal information of 1.6 million customers. The company revealed in an annual report for 2017 that It expects to write off $168 million Through 2022, a significant portion of the original acquisition price tag.

Marriott chain of hotels Inadvertently inherited a grave breach When it acquired Starwood Hotels & Resorts Worldwide in 2016. Two years later, Marriott said it learned that hackers had gained access to sensitive customer information for four years, exposing 500 million people. The breach did not affect Marriott’s holdings. Starwood’s reservation database was hacked by hackers. The reservation databases of Marriott and Starwood were kept separate for a period of time after the merger, according to Reports.

Ruprick’s Gupta said that technology isn’t necessarily the hardest obstacle, it’s having the right people and the right processes.

Who is responsible when something goes wrong? Gupta said this is a fundamental question that companies need to solve before the attack.

This could be a challenge for healthcare companies that are combining the operations and management of legacy systems in different regions and countries across the country.

Often times, organizations are unprepared. They may have the technology in place, Gupta said, but they haven’t prepared their organizations for what it will do.

Gupta said the cyberattack, the extremely high pressure and crisis situation, should not be the first time some leaders have interacted.

If companies do not fine-tune these processes, they risk feeling more pressure to pay the ransom demanded by the attackers in exchange for information recovery or access to their systems.

“There is a lot of preparation from the point of view of people, processes and technology, that has to happen in order for organizations to stop paying the ransom,” Gupta said.

#CommonSpirit #ransomware #attack #healthcare #mergers #acquisitions #huge #cybersecurity #risk

Leave a Comment

Your email address will not be published. Required fields are marked *