This sound is generated automatically. Please let us know if you have feedback.
As CommonSpirit Health, which was formed through the merger of Dignity Health and Catholic Health Initutions in 2019, continues to deal with the fallout from the ransomware attack three weeks ago, security experts say these link-and-acquisitions make healthcare systems more vulnerable to security breaches.
Israel Barak, chief information security officer of Cybereason, a company that helps companies defend against attacks, said that healthcare mergers and acquisitions “create a huge risk” and “a huge opportunity for ransomware.”
Healthcare deals create a high-risk event of a cybersecurity attack due to regulations Barak added that the supply chain usually has a weaker supply chain.
Systems like CommonSpirit rely on an extensive network of service providers. Barak said the majority tend to be smaller organizations with a “very low level of sophistication” and they need to share a lot of data with each other.
Barak said: “This leads to a situation in which the threat that enters the network from one place can affect a very wide range of entities within that network.”
Companies being incorporated or acquired are mature targets because executives tend to focus on other priorities and may not be as vigilant, according to security experts.
“Anytime there is chaos or uncertainty, then attackers want to go in and launch their attacks,” said Aneeka Gupta, chief product officer at Rubrik, a data security company whose clients include some of the largest US companies.
The The FBI warned That ransomware attackers tend to target companies that are going through significant financial events, including mergers and acquisitions.
Analysts from Fitch Ratings said last week that CommonSpirit is in the midst of a massive debt issuance.
For entities of this size, consolidation does not happen on the same IT platform and systems with the press of a button.
“It usually takes years for a certain set of technologies to be integrated and/or aligned for IT teams,” said Ali Mellin, senior security and risk analyst at research and consulting firm Forrester.
Mellin said that while some CommonSpirit systems don’t show the same signs of an attack, they don’t necessarily indicate different practices.
“They could have made design decisions to keep them somewhat separate from the IT point of view” as a potential defensive measure, Millen said.
Due diligence must be done before signing the M&A transaction
Experts say the risk assessment must begin before two companies integrate. Before concluding a merger deal, companies need to apply the same critical lens to the cybersecurity risks of the deal as they do to other factors.
John Reggie, who advises the American Hospital Association on cyber security and risk, said: “Cyber due diligence should be part of the analysis along with financial analysis, in terms of whether this creates a risk to the organization by undertaking mergers and acquisitions with an entity a certain”. He declined to comment directly on the incident at CommonSpirit Health.
Part of that work is also making sure the company doesn’t inherit an attack, which can be difficult because companies like to keep cards close to the chest before closing a deal, according to Cybereason’s Barak.
However, Barrack said the due diligence failures should serve as a warning, and the 2017 PayPal acquisition is a case study of what is not being done prior to the acquisition.
It bought digital payment company TIO, a Canadian payment processing company, for $238 million in 2017. A few months after the shutdown, PayPal announced it was suspending TIO operations after discovering a vulnerability that exposed the personal information of 1.6 million customers. The company revealed in an annual report for 2017 that It expects to write off $168 million Through 2022, a significant portion of the original acquisition price tag.
Marriott chain of hotels Inadvertently inherited a grave breach When it acquired Starwood Hotels & Resorts Worldwide in 2016. Two years later, Marriott said it learned that hackers had gained access to sensitive customer information for four years, exposing 500 million people. The breach did not affect Marriott’s holdings. Starwood’s reservation database was hacked by hackers. The reservation databases of Marriott and Starwood were kept separate for a period of time after the merger, according to Reports.
Ruprick’s Gupta said that technology isn’t necessarily the hardest obstacle, it’s having the right people and the right processes.
Who is responsible when something goes wrong? Gupta said this is a fundamental question that companies need to solve before the attack.
This could be a challenge for healthcare companies that are combining the operations and management of legacy systems in different regions and countries across the country.
Often times, organizations are unprepared. They may have the technology in place, Gupta said, but they haven’t prepared their organizations for what it will do.
Gupta said the cyberattack, the extremely high pressure and crisis situation, should not be the first time some leaders have interacted.
If companies do not fine-tune these processes, they risk feeling more pressure to pay the ransom demanded by the attackers in exchange for information recovery or access to their systems.
“There is a lot of preparation from the point of view of people, processes and technology, that has to happen in order for organizations to stop paying the ransom,” Gupta said.
CommonSpirit is born from Megamerger
Common Spirit is only three years old.
The system appeared for the first time In 2019 after a massive merger Between San Francisco-based Dignity Health and Colorado Catholic Health Initiatives.
The deal combined Dignity operations in the West with CHI systems located predominantly in the Midwest and South.
This merger created one of the largest health systems in the country, with a group of 142 hospitals spanning 21 states and combined revenue of nearly $29 billion in 2019.
At the time, executives claimed CommonSpirit Created to solve urgent national health issues And it needs a larger scale and scale to make an impact at the national level.
Currently, CommonSpirit has more than 25,000 physicians and doctors and more than 2,200 care sites, according to its latest annual report. This does not include all service providers who interact and share information with the system as independent providers.
Possibly providing evidence of the scope of the problem, Healthcare Dive found that affiliated health systems in seven states have banners displayed on their websites warning of an ongoing IT problem. In all but one of the cases, these warnings were shown on CHI websites.
- Chi St. Joseph Health – Kentucky
- Chi Health – Nebraska
- Chi Health – Iowa
- Chi St. Alexios Health – North Dakota
- CHI St. Gabriel’s Health – Minnesota
- Che St. Lukes – Texas
- Che Baylor St Luke’s – Texas
- Virginia Mason Franciscan Health – Washington
CommonSpirit appears to confirm that the other half of its network, Dignity Health, did not have the same disorder.
The system said in a recent statement that systems associated with Dignity Health were not affected by the clinic or patient care along with TriHealth and Centura Health facilities.
With such acceptance and online warnings, it appears that the attack was even more severe for the CHI Health entities.
The attack comes at a difficult time for service providers.
CommonSpirit said in its 2022 financial results that the effects of the pandemic continue to weigh on hospital operators. The shortage of staff leads to higher costs of more expensive labor. The system recorded a loss of $1.8 billion for 2022.
However, credit rating agency Fitch said it does not expect a rating change as a result of the cyber attack on the system. CommonSpirit has cybersecurity insurance, Fitch reports.
#CommonSpirit #ransomware #attack #healthcare #mergers #acquisitions #huge #cybersecurity #risk