Dive Brief:
- Hospitals are particularly vulnerable to data breaches in the year before and after mergers and acquisitions, according to research from the University of Texas at Dallas.
- The paper found that the probability of a data breach was 6% for merger targets, buyers and sellers in the year before and the year after consolidation, compared with just 3% for hospitals that merged outside of that two-year window.
- The complexity of combining IT systems puts hospitals at risk, according to economics PhD candidate Nan Clement, the paper’s author. Hacks and insider misconduct, including mistakes or intentional wrongdoing by workers, also increased during the pre-signing period, suggesting that heightened attention before a deal’s closing could attract attacks.
Dive Insight:
The research, which analyzed hospitals’ merger records and breach reports from the HHS between 2010 and 2022, comes as data breaches become increasingly costly for healthcare systems.
Healthcare breaches exposed 385 million patient records during that period, and hacking incidents have soared over the past five years, according to federal records.
The healthcare industry is the most expensive sector for data breaches, with the average cost reaching nearly $11 million this year, according to research conducted by the Ponemon Institute and published by IBM Security.
Ransomware, where attackers demand payment to return access to critical data, is a particular concern for merging health systems. On average, 4.6% of merger deals suffer a ransomware attack reported by their buyer, seller or target hospital, according to Clement’s research.
Ransomware attacks can also be dangerous for patients as they may disrupt hospital operations. An attack at Los Angeles-based Prospect Medical Holdings last week shut down emergency rooms and forced ambulances to divert to other hospitals. Late last year, a ransomware attack at Chicago-based CommonSpirit Health interrupted access to medical records and delayed care.
Hospitals should consider adopting risk management strategies used by investors and publicly traded hospitals, as these providers had a significant decrease in insider misconduct during the two-year merger window instead of an increase, according to the paper.
They should also develop comprehensive plans for integrating their IT systems early in the merger process and put together an incident response plan in advance to prepare for a potential attack.
Other experts have raised concerns about the increased risk of data breaches in the wake of healthcare M&A, noting that executives are likely focused on other priorities instead of cybersecurity. The FBI also cautioned in 2021 that ransomware attackers use big financial events, like M&A, to target companies and increase their leverage, though that warning was not specific to the healthcare industry.
