Managing Asset Risks During Healthcare M&As

Pierluigi Paganini January 17, 2023

How healthcare delivery organizations (HDOs) can manage the IT asset risks during a healthcare M&A process.

Mergers and Acquisitions (M&A), you’ve probably heard the term before. An M&A is often associated with the “business world”; with industries such as finance, retail, technology, and more. But M&As are also common in the healthcare industry, and the question is how healthcare delivery organizations (HDOs) can manage the risks associated with the process – specifically, IT asset risks.

The outcome of a merger or acquisition is relatively the same; the entities involved are combined or absorbed into one another and, by legal definition, become the same organization. A string of benefits can come with an M&A, such as increased profitability, market strength, diversification of services, and acquisition of IT assets. However, the latter introduces cybersecurity complexities that must be managed for the process to go smoothly.  

The Asset Problem 

During the M&A process, the IT assets within those organizations transfer ownership and get absorbed into another system. In other words, an HDO’s asset inventory can drastically change overnight. And with new assets come new risks. However, the visibility gaps of existing cybersecurity tools mean these new assets go unmanaged. 

When assets go unmanaged, so do their associated risks, and things can take a turn for the worse, especially when talking about the healthcare industry. Some consequences include threats to patient safety and the leaking of confidential data, both of which jeopardize an entity’s compliance efforts – another consequence in itself. 

The healthcare industry is known to be heavily regulated due to its handling of highly sensitive information and the treatment of patients, so compliance must constantly be maintained. Yet, during the M&A process, compliance efforts are threatened as visibility gaps mean HDOs don’t actually know what risks they are undertaking when acquiring new assets. This presents opportunities for sensitive patient data to get leaked, as unmanaged assets may gain unauthorized access to certain parts of the network. Similarly, the acquisition of faulty or incompatible assets can compromise patient safety if they go unmanaged. Such assets can fail to operate as expected, which may interfere with the provision of patient care, such as delaying surgeries or patient diagnoses, should they fail to operate as expected.

Assessing that Asset Problem

An M&A should be a time for organizational improvement, not increased cyber security risks. So how does a healthcare entity going through the M&A process properly manage the influx of assets? 

It all starts with comprehensive asset risk management, as this will provide organizations involved in an M&A with the necessary visibility to know what they are acquiring.

Next comes risk assessment and identification; healthcare organizations acquire risks along with assets. To keep their services up and running, HDOs must be aware of and manage the risks they are taking on when adding new assets to their network. With complete asset visibility, an asset risk management solution provides an accurate representation of each asset’s risk posture in the relevant business context so that security teams know exactly what to prioritize and how. 

When all assets are visible and risk postures identified, HDOs can mitigate any suspicious assets that might impede their services. The goal for any M&A is to bring benefits to the organization in as smooth a process as possible. However, in order for this to happen, cybersecurity must be at the forefront, with asset risk management a fundamental part of the M&A process. Like installing a good suspension system on a car that you’re about to take off-roading, it will improve the quality and make sure you can focus on enjoying the ride. 

About the author: Sepio

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Healthcare)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment