June 15, 2020

Patient Privacy, Data Security Are Increasingly Critical in Healthcare M&A Transactions

Point by Point

This episode of Point By Point was produced prior to the combination of Waller and Holland & Knight.

Over the past decade, transactions involving the acquisition or sale of healthcare organizations include considerations regarding patient privacy, data security and cyber compliance. This is even more true today as we navigate a pandemic and prepare for what the future might look like, including greater usage of technology in the healthcare setting.

Beth Pitman, a partner in Waller’s healthcare regulatory compliance practice, joins Baxter Lee, CFO of Clearwater Compliance, and Jon Moore, Senior Vice President and Chief Risk Officer at Clearwater Compliance, for an in-depth discussion.



Over the last decade or so, transactions involving the acquisition or sale of healthcare providers include a lot of considerations regarding healthcare technology, patient privacy, data security and cyber compliance. This is even more true today as we navigate a pandemic and prepare for what the future might look like. I am joined today by Beth Pitman, a partner in Waller's healthcare regulatory and compliance practice group, Baxter Lee, CFO of Clearwater, and John Moore, senior vice president and chief risk officer at Clearwater. Let's jump in, and to kick things off, Baxter, can you give us a brief introduction to Clearwater? Who do you work with, and what sort of role does the firm play in healthcare M&A transactions?

Baxter Lee: Clearwater was founded in Nashville about 10 years ago. Our mission at Clearwater is to empower healthcare providers and their partners to protect patients and their data, meet compliance requirements and gain a competitive advantage through best in class enterprise cyber risk management software and consulting services. We work with over 400 healthcare organizations range ranging from midsize provider groups to large IDNs, as well as their vendors, meaning healthcare IT companies and other outsourced service providers. More recently, we've been working with companies like Uber that are coming from outside of healthcare that recognize the need to have strong HIPAA compliance and cybersecurity programs to be successful in the healthcare industry.

Morgan Ribeiro: How are investors in particular thinking about the issues of data security and patient privacy as it relates to their investment strategy?

Baxter: If you think about what we do, we help organizations avoid preventable breaches and meet important regulatory compliance requirements like HIPAA. For an investor-owned company, a breach or unauthorized disclosure of EPHI or other sensitive data can result in regulatory scrutiny, class action lawsuits, fines and penalties, or losses. The loss of patients and our customers, all of which may severely damage a portfolio company's business reputation or long term value. As we studied our customer base over the last couple of years, we began to realize that more and more of our customers were private equity-owned, and we realized we needed to elevate the conversation to help investors understand the importance of the work we were doing in terms of helping them protect their investment. However, as we started having conversations with investors, we noticed a general lack of understanding of the risk around cybersecurity and HIPAA compliance. A lot of investors would openly admit this is an area they needed to get smarter in. Some told me that they didn't know the right questions to ask or how to validate the responses they got if they did ask certain questions. So the level of sophistication wasn't there a couple of years ago, but it seems to be improving. Investors today realize that they can't just rely on their management teams to keep an eye on things, that they need to be more proactive in managing these increasingly important risks. And all that starts with due diligence before making an acquisition. We see more and more investors making cyber risk due diligence a priority, and we believe this will be as integral as any other component of due diligence, such as legal accounting, insurance reviews and the like.

Morgan: Beth, is that similar to what you're seeing in your practice right now?

Beth Pitman: Yes, Morgan. Waller represents many healthcare businesses that are considering the acquisition of other providers or the sale of their own business as well as a number of private equity investors. My practice particularly includes a fair amount of time advising healthcare providers, private equity investors and healthcare technology companies regarding HIPAA and other privacy and security issues. So prior to coming to Waller, I was in-house at VHR Company for several years and very familiar with the data security and privacy issues and regulations that face healthcare industry and healthcare technology today. Since coming to Waller, most of my work has been on the buyer side, but I do represent some sellers. So for our clients who are considering selling their practice or business, to the extent we can we get involved prior to the beginning of the process and advise them on their HIPAA compliant stature, and we try to perform a mini audit of the business's HIPAA compliance. So many of our providers are facing a multitude of regulatory requirements, and it's difficult for them to meet all those requirements, given the limited resources they have. So it's necessary for them to reach out third-party providers like us and Clearwater to help meet those needs. John, is there anything that you would add to that? Particularly, on the investor side?

John Moore: I think from our perspective, from the investor side, there's a lack of maturity in their understanding of the risks associated with cybersecurity. That's changing, and hence conversations like we're having today and what we're seeing in the marketplace where organizations are becoming more engaged in due diligence and the due diligence process and understanding that due diligence process. What I think that we're seeing is, and where the maturity needs to continue to expand, is in the area of understanding what the objective of this diligence process is. So when we're designing a due diligence program for a purchaser, we're looking at primarily three different criteria. And those are the time we have available to do the diligence, the objective of the diligence and the access we're going to have to the target organization. All three of those elements are determined by where in the acquisition lifecycle we're able to engage. So for example, if we're talking pre letter of intent, we have time, but we have limited access, we're not able to engage with the target directly. So we're only able to engage passively. By passively, I mean we're doing research that's publicly available either through web searches and/or searches on places like the dark web where no one should really tread but also think there's some more passive scanning type techniques you can use to gain an understanding of the maturity of the organization's cybersecurity program. So at that pre LOI stage, while you have that time, you're limited access. There's only a limited amount of objectives you can achieve with that because you simply don't have the access to the information. I can't, for example, tell you necessarily whether they're HIPAA compliant. I can tell you that if they don't have a privacy practice notice published on their website, it's probably a good indication that there may be issues. But there's limits to what you can do.

Now, when we move to sort of post-LOI pre-close, the timeline suddenly compresses. We're almost always under some sort of deadline. However, we have more access to information. That can vary though from just documentary evidence to broader access that includes the ability to interview subject matter experts within the target as well as potentially do technical testing or scanning of their environment. That greater access allows us to achieve a broader set of objectives, including potentially a full risk analysis as required under the HIPAA Security Rule, understanding of the effectiveness of the controls they've implemented to understanding the compliance with the HIPAA Security Rule, or the maturity of their overall security program.

Once we go sort of past closed stage, really, for us, what we're trying to help organizations with is primarily remediation. So we've identified things, now we have time, we have all the access we need, of course, we're post-close. So anything we're going to find, unless it's been planned for accordingly during the purchase, everything we're going to find is going to be primarily the responsibility of the purchaser, and we're going to be focused primarily on remediation at that stage. So the objectives that we can achieve depend on that access to the target as well as the time that we have available to do the diligence. We spend a significant amount of time working with our customer organizations in understanding that and also what's achievable given the circumstances of any particular opportunity that we are helping with.

Baxter: So to add on quickly to a point John just made, we've had conversations with several investors at the fund level about how to organize sort of a strategic approach to these types of reviews across the various phases of their investment lifecycle, and we're seeing those conversations resonate really well with investors as an opportunity to take a much more strategic approach to managing risk across the portfolio.

Beth: Yeah, I agree with Baxter. We have seen plenty of investors that are interested in both preparing prior to acquisition and trying to have a have an aggressive approach to remediating those things post-acquisition, and then having a long term approach to maintaining HIPAA compliance and staying up to date.

Morgan: So given that data and technology are such an integral part of any healthcare company strategy these days, even for physician practices, John, from your perspective, why do you feel like that understanding of data security isn't a priority before that point?

John: I think it's two things, and both of which I think are changing. The first is that it's just not considered at all. They just don't think that it's something that requires consideration during the purchase process, and I think that's been less and less frequent that's the case. The second is that organizations often underestimate the risk and the potential impacts if those risks come to fruition. Particularly in healthcare, when you look at the statistics on the cost of a breach, for example, and you look at where those costs are the greatest, it turns out that if you're a healthcare organization in the United States, the cost of a breach is more expensive than in any other industry in any other part of the world. And I don't think that most leaders in healthcare, unless they've experienced the breach themselves and had to transfer those costs, understand and recognize that and including the cost of remediation, even if you haven't had a breach, the costs associated with remediating in an organization that you've acquired that hasn't had in place an adequate and reasonable Information Security Program, those costs and the time associated with that can be relatively significant. It's nothing to have to spend several years bringing a security program up to a level of compliance and/or a level that's reasonable and appropriate for the scale and complexity of the organization that you're dealing with. And obviously, when you're talking about a situation where it's going to take multiple years to complete that level of remediation, the cost associated with that is not insignificant.

Morgan: Beth, is that similar to what you're seeing?

Beth: Yes, it is. Morgan. The resources that are available to healthcare providers today and to investors to address HIPAA compliance is a consideration. There are so many regulatory compliance requirements that they have to meet that it's just overwhelming. They have fraud, waste and abuse compliance, state regulatory requirements, and all of those have significant repercussions probably from a financial standpoint are greater than the HIPAA and breach issues. So when investors look at the financial risk, which is what they're considering, HIPAA probably falls lower in the risk category for them, that's probably one reason. The other one is that the cost of trying to bring a noncompliant acquisition up to par is significant and takes time. And so they have to devote the resources to that and if the acquisition has several areas of healthcare noncompliance, then it is a challenge. And so for that reason, the HIPAA data security and privacy may not be high on their list of remediation process. But we do try to work with our sellers pretty close to try to remediate those so that they're in a better position, and we can get a better value for their practice. And then we work with the buyers post-close also to try to have an aggressive approach to remediation.

Baxter: I think what we're seeing in our conversations with investors is that those that have understood the impact of a potential HIPAA compliance issue or a cybersecurity breach, if they can get out in front of these emerging risks and build efficient programs more cost efficiently by starting early, they can gain a competitive advantage versus their peers. And so I think this is becoming an opportunity to prioritize HIPAA compliance and cybersecurity among the list of all the other regulatory requirements and things that Beth outlined to avoid a preventable breach and all the costs associated with remediation that John outlined, but also to have more of a competitive advantage in their investment strategy,

Morgan: So what are some of the common factors in your due diligence, getting more specific on what those items may be that need to be addressed?

Beth: The main issue that we see is inadequate or immature security risk management and security risk assessment processes. There are still a lot of providers that either are not performing a security risk assessment at all, trying to rely on a third-party vendor's assessment, or their assessment is very immature and doesn't address the processes that are required. We try to identify where the risks are and provide the buyer with a good compliance plan post-close to try to remediate those. To the extent we can. if there's an opportunity to correct an issue pre-close, we encourage the buyer to have the seller do that as part of pre-close condition, which makes it very helpful because the day of closing at that point in time the buyer assumes all the risks are associated with that system and network that they're acquiring. So day one, they're at risk, and there have been reported instances of a breach or an issue within a month of closing that have placed the buyer at some financial risk and having to respond to those things.

John: It varies to a certain degree. Oftentimes, what we see is if the target is a younger organization, maybe just going through a startup sort of phase, and they're growing rapidly, what we often see is that in many cases, because they've had a limited funding during those periods, they're not making an investment in cybersecurity and/or when they're making their investment trade off decisions. You don't necessarily see an immediate return from investing in cybersecurity; it's like buying life insurance. It only really pays off if you die. Cybersecurity is often looked at in a very similar way. So if they're going to allocate their resources, they're not going to be looking to cybersecurity as a place where they allocate those. Now that is changing, and it's changing primarily because of the increasing focus of particular healthcare providers on vendor risk management. So in many cases, these organizations are now being asked to respond to more rigorous questionnaires and surveys around their cybersecurity program, and if they're unable to respond appropriately to those, they're not able to engage in sales.

So we're seeing that change a little bit where there's more and more of a focus, a business driven focus on investment in cybersecurity. We're particularly helping many business associates who are newer to healthcare or moving into healthcare to improve their cybersecurity programs to address this, and I think you're going to see fewer deficiencies in that area among those type of targets. In more mature targets, oftentimes they're organizations that may be under financial distress or have some other issues that are making them a good target. And in many cases, when you have an organization like that, there's a CIO at  PricewaterhouseCooper who used to talk about the magic orange and when money starts to run out the leadership goes to the CIO and says we need we need to have a reduction in costs. And so the CIO has to squeeze the magic orange and keep coming up with juice to reduce the cost of IT. And in today's world, the IT budget, the security budget, is still oftentimes very closely linked to the IT budget. So any sort of reduction in IT spend, usually results in a matching or even more of a decrease in this in the security budget. So when we have situations like that, what we've often seen is that the organization has not kept up their controls in their cybersecurity program. So we'll find that they're understaffed, underfunded, and that as a result, their controls are not implemented effectively. Oftentimes, they're not being monitored and there are significant issues potentially associated with that. That's what we typically find.

The third thing we often find, too, is organizations are just growing so quickly that their cybersecurity programs can't keep up, and that actually can be a more fun conversation to have because they usually recognize that, and because they're growing, they have the resources available to address the issues.

Baxter: One of the other things I think we find a lot is lack of an incident response plan or good contingency planning if something bad were to happen. There was one transaction last year in the veterinary space, the National Veterinary Associates is a chain of over 700 vet facilities that was hit particularly hard by a ransomware attack that affected over half of their locations. So for a period of time, they couldn't book appointments, they couldn't access records, they were unable to provide care. And so interestingly, when I looked up the company, I found that they had been bought by a German private equity fund just three to four months before the incident. So if I'm an investor, I would be asking myself what if this was my ophthalmology platform or dental or dermatology platform? Or if I have a healthcare IT company that provides technology to a hospital or provider organization, I can no longer provide those services. How would something like that impact the value of my investment, and I think that's what's critical to understand as you're underwriting these transactions, and the goal of investing is to manage risks and to maximize return, really understanding not just where the risks are, but what is the plan in place to do something about those risks if something bad were to happen, so that's an area we focus on a lot in our due diligence.

Morgan: How do you recommend investors protect against these threats as part of the M&A process, John?

John: The position that we've taken at Clearwater is to help them understand how to best embed cybersecurity due diligence within the acquisition lifecycle. So it's understanding what it is we're trying to achieve through diligence and maybe it's understanding risk or understanding compliance or understanding the cost of remediation, whatever those objectives are, we need to understand those upfront so that we can in embed cybersecurity diligence during the investment or during the acquisition lifecycle so that we have the time and the access that we need in order to achieve those objectives.

Beth: And one of the things that we try to do is try to structure the acquisition in a way that helps provide protections to the buyer. What we do is we recommend specific purchase agreement provisions to protect the buyer such as reps and warranties and indemnification provisions. We also try to put into place a very aggressive transition services agreement and process that helps remediate as quickly as possible some of the risks that have been identified. Situations when our buyer does experience a post-close breach, in our representation before the OCR what we try to do is make the OCR aware of the fact that a transaction has occurred, was an asset acquisition, and our buyer did not have any responsibility for or ability to control prior HIPAA compliance, and so the OCR has made it clear that they're really not interested in going after someone for x for which they were not responsible. Their objective is really to try to make a change in education and also enforcement. But to the extent that we can we try to limit the scope of the review to events that have occurred post-close.

Baxter: Yeah, and I would add more generally speaking about board level presence among companies that you may have investments in, making data security a core part of just the operational strategy of the company. We all know the quote, what gets measured gets managed. And so if you ensure that a company has established a governance program in place, they've got a solid understanding of where they are today, meaning they've regularly completed a comprehensive risk analysis, and they have a roadmap that gets them to a certain level of maturity at a point in the future that aligns with the strategic plan of the company, and then require that all that gets reported regularly in the board meetings, you're gonna have a much better chance of avoiding a negative event that can impact the investment. So just like anything else good management teams do, you have to make it a priority, you have to set clear expectations. And if you have a lifecycle approach to managing risk across your investments, you can start in the due diligence phase, develop a good plan early and then help manage that company through the entirety of the investment period.

Morgan: Reps and warranties insurance is one way to help mitigate the risk inherent in these types of transactions; what is covered and what isn't as it relates to HIPAA? Beth, I'll start with you.

Beth: Sure. So rep and warranty coverage is a great way that buyers and sellers can protect themselves against risk. However, the underwriters are often unwilling to cover HIPAA risk if there is no security risk assessment, or there's some other indication of a weak HIPAA compliance program that affects cybersecurity. The other component and the impact of this that it can impact the price or the value of the asset. We haven't seen a buyer back out yet or a rep and warranty insurer refuse to completely cover an acquisition that in the event of a HIPAA deficiency, but it could happen.

Morgan: John, is that similar to what you're seeing in your area?

John: Yeah, it is. And this is a sort of an interesting area as well because I think there's an opportunity for the insurers to better understand what it is they're asking for as well. So oftentimes, they'll ask for a risk analysis, and there's very specific requirements to do a risk analysis. You need to understand all of the assets that the organization uses to create, transmit, receive or maintain electronically protected health information and all the components associated those systems. And I also need to then understand all of the reasonably anticipated threats and vulnerabilities associated with those systems and components and the controls that are in place around those systems and components so that I can make a determination of how likely any particular threat is to act on any particular vulnerability, and what the impact of that would be to the organization.

So that's a very specific type of assessment that's required under HIPAA. So what we've seen sometimes is that they'll ask us to do the risk analysis. Now the risk analysis is only one control or one safeguard that's required under the HIPAA Security Rule. So if the question is are they compliant with HIPAA, that's a different question than what does the risk analysis say? Or what are the risks that exist within the information systems that they're using for EPHI? So sometimes when we've been in the conversation with the insurer, it's a little unclear whether they're trying to understand one of those or both of those, and whether or not the assessment that we're doing is appropriate to answer that question. So I think there's some additional thinking that needs to curl around there. And in particular, if they're requesting that a HIPAA risk analysis be done according to the HIPAA Security Rule, and the organization is of any size or scale, conducting a HIPAA risk analysis is not a trivial act, and it could take a substantial amount of time. So far in all of the transactions that we've supported, we've been able to complete that during the diligence period, and it hasn't caused any delays in the transaction. But it's very easy for me to imagine a scenario where an insurer would require that should occur, and it could result in a significant delay in the transaction if they require that the deal not close until that's completed.

Beth: One thing I wanted to add is that we do try in all of these situations when we're doing any kind of an assessment, whether it's a security risk assessment or a claims audit as part of the transaction, we do to try to do that under the context of the attorney client privilege so that it doesn't present any risk going forward for the buyer and that it is protected and it's really information selling for the buyer's use in the event that they have any kind of issues in the future.

Baxter: One thing I would point out that investors need to understand is regardless of the legal structure of what you're acquiring from a legal perspective, you're going to carry the reputational harm caused by that breach. So the impact to your brand and the potential loss of customers and/or patients for not being able to deliver your services, that's going to carry forward no matter what. And so that's where we think that this is an important topic to be focused on earlier and to elevate in the priority list because those reputational challenges and the loss of potential customers can be significant.

John: If I see an impact, it's primarily associated with price, and it can be significant. I'll give you an example. Many times today, what we see is an acquisition of a organization that offers software as a service as their primary business. So the primary asset you're buying is that software system usually hosted in the cloud with appropriate screen controls wrapped around it. If that is the situation, and that's what you're buying, we highly recommend that an organization conduct web application testing on that application before purchase. And what that will oftentimes reveal is not just that there's insufficient security in, let's say, the network architecture or the cloud architecture in which the software is hosted. But oftentimes, what we'll also find is that when the application was created, there wasn't security built into the software development lifecycle. And so what you have is significant vulnerabilities that exist in the code. Oftentimes they've used software that is no longer supported, that there's going to require potentially a significant investment in order to address the security concerns associated with the software itself. In those cases, that can be a significant factor when thinking about how much you're willing to pay for the business or for the asset. In those circumstances, I certainly would advise that one consider very carefully the price to willing to pay for it.

Morgan: So Beth, from your end, are there a few key aspects of the checklist that you're looking for as regulatory counsel representing acquirers, and what should acquirers be looking for in their due diligence process?

Beth: I think one of the first things they should look for is a top down approach to HIPAA compliance. They need to look at whether or not the board has formally acknowledged HIPAA compliance program, is there a committee that's reporting to the board or to the members on cybersecurity compliance issues and keeping the board apprised of what's going on? Do they have a really good training program in place, that is, we still look at this from the weakest link standpoint, and if you have one employee that clicks on a phishing email, then that puts everybody else at risk. So training is a super important part, and sometimes that's not really reviewed as well. The security risk assessment, which we've talking about a lot, is definitely something that needs to be done.

One thing that can be cost effective that I usually try to recommend is that a client look at the OCR audit protocol and try to determine what parts of that are really important to their organization. It depends from investor to investor what areas are more important to them, where they want to dedicate their resources post-close to an acquisition. So they can go through that audit protocol pretty quickly and determine which parts are very important them and help pull that into the diligence request.

Morgan: John, do you have any advice for practices that are planning to sell in the next year or so and what can they do as it relates to patient privacy and data security to best position themselves for a successful outcome? I think Beth just covered some of the tips from a regulatory standpoint, but from your end, are there certain things that folks should be thinking about well in advance?

John: Sure. Well, knowing what Beth just told you, you know, or at least you have a good indication of what's going to be expected from you by a purchaser. So what you need to do is you need to assess where you are relative to those objectives or those deliverables that you're going to be asked to provide. And to the extent that you aren't in a position to provide those deliverables, you need to develop an action plan to address that. So that might include things like do we have our policies and procedures in place? And if not, we need to get those in place. Do we have our risk analysis completed? Have we created a risk management plan to address the risks that have been identified in that risk analysis? And are we managing to that risk management plan and implementing any mitigation that we've planned under that, or have we done a nontechnical evaluation of the HIPAA Security Rule and identified any gaps that we have against the Security Rule. Have we done technical testing under the HIPAA Security Rule? And to the extent that we have, are we addressing any of the vulnerabilities that we've identified through that testing. So there's very clear activities and /or deliverables that we're going to want to have in place so that when we are talking with a potential purchaser, and when we're given that information request, and when we're required to provide that information, nothing related to cybersecurity is going to deter the purchaser from completing the transaction. So it seems like it's pretty straightforward. However, as I mentioned, depending on how long an organization is neglected their cybersecurity program, getting all these things in place is not a not necessarily a trivial trivial endeavor. And it can certainly take a year or more to successfully do that, depending on the organization.

Morgan: A very relevant topic that we haven't really touched on here today is of course that the COVID-19 pandemic which, because of quarantine and elective procedures being halted for quite some time, I think it has brought about pretty rapid change in the use of technology like telemedicine or telehealth. Baxter, do you see any of the current events impacting the future of healthcare M&A, in particular around patient privacy and data security?

Baxter: Yeah, I think we've certainly seen an acceleration of the pace of technology adoption across healthcare. Obviously, everyone's aware the rapid adoption of telemedicine, we're seeing remote patient monitoring and the need to care for patients in the home or in ancillary environments. In addition, a lot of our customers are dealing with remote workforces that have to end interface with their technology systems from various locations. All of these things introduce additional access points, expanding the threat surface for an organization that you have to defend against. So what I would say is now more than ever, performing a risk analysis to understand your environment, determine the threats and vulnerabilities that exist in your organization, is critical. And I think buyers are certainly going to be in tune to these changes. And they're going to want to see this type of analysis or understanding or level of maturity as it relates to managing these risks going forward. So if you have an ongoing programmatic approach to risk management, I think it's key to your ongoing successes as an organization. I think it's certainly going to help indicate that you're a trustworthy company that your customers want to do business with and that potential buyers down the road would pay a premium for.

Morgan: Beth, anything from your perspective in terms of OCR enforcement and waivers?

Beth: Sure, I'm afraid that the OCR waivers and enforcement discretion have really given a feeling that compliance in general has been has been waived or has been put on the side for right now. But I think the result of this illusion is going to be an increase in breaches that will be reported. Unfortunately, at this point in time, the waiver is very limited. It only applies to hospitals and only applies for a very short period of time, and the enforcement discretion is also pretty limited. It only applies to specific instances of HIPAA and has no application at all telework environments. So now that people have been working from home they've had to use remote desktop applications or other applications or their home computers to access information, there's been a higher risk of increasing breaches. I think we're going to see some issues going forward. One of the things that is important that we will look for is to make sure that our clients and also that other providers are, as Baxter pointed out, including this change in environment in their security risk assessment.

With regard to telehealth, the waiver that is in force right now does provide the ability to use some typically noncompliant technologies, and once that waiver ends, as of that day the providers will be required to move back to HIPAA compliant technology. So it's really in their best interest to go ahead, if they're going to have telehealth as a long term solution, to make sure that they do contract with a compliant provider, that they've gotten documentation assurances of that, that they have a business associate agreement in place, that's very important, and that they also have included the use of telehealth in their security risk assessment and management plan.

Morgan: Do we have any sense of when that waiver is ending?

Beth: No, the waiver is tied to the Department of Health and Human Services' emergency declaration. So it'll extend the time period that is in place, and for the foreseeable future that will continue.

John: From a cybersecurity perspective, COVID-19 is in essence the perfect storm. When we talked about risk before, I mentioned that when we look at risk we talked about threats and vulnerabilities and controls and impacts and the likelihood times the impact equals the risk in cybersecurity world. Because of the pandemic, as mentioned, we have a lot of changes in the technology infrastructure, whether that's the adoption of new services like telehealth, or asking our workforce to suddenly work remotely and perhaps not being in a position to adequately provision them to do that. So you have suddenly a lot of people working from home from insecure network using insecure devices and software that perhaps isn't approved, so there's a the introduction of all of these new technologies introducing additional vulnerabilities into our IT ecosystem. For example, I think it's hard for anyone to have missed all of the drama around Zoom. "Zoom bombing" and all the other vulnerabilities associated with Zoom. Well, if you're having your telehealth provided through Zoom and there are vulnerabilities like that exist within within Zoom itself, obviously that's a concern from both a HIPAA compliance perspective as well as a general cybersecurity and privacy perspective.

We typically think of threats as hackers, right? So let's look at those first from a hacker activity perspective. COVID-19 has resulted in a dramatic increase in hacker-type activity. One organization identified as much as a 600% increase in phishing attacks, primarily associated with or wrapped in COVID-19. So, emails masquerading as updates from the World Health Organization, or from the CDC, or from other government bodies, which are in fact, phishing emails. Many of the phishing emails have ransomware associated with them. And  there's been more and more ransomware attacks popping up again in healthcare after they'd sort of slowed down there for a little while, they're popping up again. But that's only one kind of threat. There's also threats, for example, of IT administrators who are careless, and when you have a lot of complexity and a lot of change within your organization at a very rapid pace and you're trying to introduce new technologies, it's very easy for IT administrator type people to misconfigure things, and by misconfiguring them can very easily expose them. There's more and more cases of misconfigured servers, particularly when people are moving to cloud infrastructures, that result in large quantities of medical records being exposed. And that was before the problems with COVID-19. And that's probably only increasing now. Add to that the economic impacts on healthcare as a result of COVID-19 and the need to furlough workers. And oftentimes, those furloughs occur across the board, including with your IT organization and your cybersecurity organization. So they're now suddenly finding themselves not only in this chaotic world but understaffed as well. Then, God forbid, the organization buys into best hypothesis that these waivers that they're seeing around HIPAA mean that all of HIPAA is waived or not being enforced. So that provides even less incentive to act on any of these concerns, or certainly less concern about furloughing individuals that might be able to act to protect the organization and implement appropriate controls. So you end up in a situation where we have increased threats, we have increased vulnerabilities, the impact from these can be quite significant, and the reality is that, on average, it's six to 18 months before an organization even discovers under normal circumstances that they've been hacked or that a hacker is within their infrastructure. And so it's likely that we're not going to see the impacts of this probably for another, you know, eight months, 12 months. But to best point, what I anticipate seeing is that there's going to be a large increase in the number of reported breaches during that period. It's highly likely that there's probably going to be a large number of organizations out there that are going to spend several years responding to information requests from OCR as a result of what's taken place during the pandemic, so it's a significant significant problem right now. There's just a tremendous amount of activity and discussion in the community about what can be done or what should be done. But hopefully we're getting to the end of it, and now it's just a question of understanding what the actual impact was, and addressing any of the weaknesses that have been introduced during the pandemic itself.

Morgan: Well, it's easy to feel like from a conversation around HIPAA compliance and data security in the healthcare world and just in particular around the conversation about M&A due diligence, it can feel a little doom and gloom. But so many of you have pointed to this, that it's really a matter of educating yourself and being aware and preparing and taking those steps on the front end and engaging with advisors like yourself, that can really set these organizations up for success and to avoid some of these missteps.

Related Insights