Securing Growth: Cybersecurity Strategies for Specialty Healthcare Providers

Updated on June 18, 2024

Private equity (PE) firms have increasingly turned their attention to the healthcare sector, with specialty healthcare providers being a particularly attractive investment target. These firms inject significant capital and managerial expertise into specialty healthcare services, including specialties like dermatology, ophthalmology, orthopedics, and dental care. The infusion of private equity funds often leads to enhanced operational efficiencies, expanded service offerings, and accelerated growth through strategic acquisitions, the implementation of sophisticated management practices, and economies of scale. As a result, PE-backed specialty healthcare providers can offer higher quality care, increased accessibility, and more innovative treatment options to patients.

With the growth of specialty healthcare providers come challenges in scaling robust cybersecurity practices. With each acquisition of a new practice comes a host of challenges and unknowns. What systems, programs, and digital assets will the acquisition add to the larger network? How well have the staff been trained in cybersecurity and HIPAA compliance best practices, and how—if at all—are these practices woven into the culture of the organization? 

These challenges are made more complicated by acquisitions that involve multiple practice locations. It isn’t unusual to find that each location has its own approach to cybersecurity and compliance or that it uses a local managed service provider (MSP) to support its IT infrastructure and end-user systems. 

As the CIO of a private equity-backed dental support organization (DSO) (Gen4 Dental Partners) and the CEO of a large healthcare cybersecurity and compliance firm (Clearwater), both organizations have navigated these challenges firsthand but from two different perspectives. They agree that there are some standard steps healthcare organizations should take to protect the growth equity of their organizations, the privacy and security of their patients’ data, and the delivery of care and services. 

Asset-Based Risk Analysis

This is a must-do from a security and HIPAA compliance perspective. If you haven’t completed a comprehensive risk analysis of all your organization’s information assets and their components, you not only risk a potential enforcement action from the HHS Office for Civil Rights, but you’re leaving your organization vulnerable to critical or high risks you may not even realize exist. Did you know that 90% of organizations that have fines or settlements with OCR were cited for failure to perform an acceptable risk analysis that meets the OCR Final Guidance? For an organization that is adding new practices, locations, endpoints, and users on a regular basis, the expectations and demands for risk analysis are higher. You should be updating your risk analysis on an ongoing process as major changes are made.  Why? Because changes to your environment add new vulnerabilities and more ways for cybercriminals to penetrate your environment. Risk analysis has economic benefits as it can give you a picture of your organization’s risk in a way that allows you to prioritize your response to the most important. Hence, you can direct your cybersecurity investments to mitigate the greatest risks and potentially reduce spending on addressing risks that fall below your risk threshold.

Align Your Cybersecurity Practices to a Recognized Framework

A recognized cybersecurity framework like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) which defines a set of cybersecurity outcomes to reduce risk and increase resiliency. The framework integrates industry best practices and standards into a common language to help organizations understand and communicate risks internally and externally throughout their supply chain.  Another great resource is the 405(d) Health Industry Cybersecurity Practices (HICP). Created through public and private collaboration, these practices address the top five cyber threats to healthcare and come in three versions – small, medium, and large – so they are reasonable and appropriate for your organization’s size. Both of these resources are free, and should you ever be audited by OCR; you may benefit from legislation that requires OCR to provide organizations that have implemented these practices for at least 12 months with the potential to receive reduced enforcement action.

Threat Detection & Response 

As your organization takes on new practices, locations, providers, and staff, you’ll have an ever-increasing number of endpoints to manage—and potential entry points for cyber attackers. It’s imperative that you have a way to monitor, detect, and respond when suspicious activity is on your network. With 24/7/365 detection and response capabilities, you can fend off attacks and minimize impact. Without these processes in place, you’re likely to be blindsided by malware and ransomware. 

Vulnerability Management 

In addition to monitoring endpoints, it’s imperative that your organization has a sustainable strategy for vulnerability management. It’s not uncommon to acquire hundreds of vulnerabilities with each location you add through an acquisition, though not all of those vulnerabilities pose a critical threat to your organization. Additionally, new vulnerabilities are discovered each day, and some require rapid remediation based on criticality.  A more holistic approach to vulnerability management is to understand which vulnerabilities pose the greatest risk to your organization and look at your security threats from a broader perspective that considers your organization’s business impact analysis, risk threshold, and other factors such as potential point of entry, types of systems and data that may be impacted, and dependencies.

Employee Training 

Phishing is still the #1 initial threat vector in cyberattacks, meaning untrained or careless workforce members are still your #1 vulnerability. But you need people to run your business and care for patients, so you must train them well. And it isn’t enough to use generic training anymore. Social engineering attacks have become more sophisticated, often using a combination of vishing (voice), smishing (text), and phishing (email) communications.  Your employees need to understand that it is someone’s full-time job to trick them into giving up their credentials, clicking a malicious link, or otherwise opening up access to your network. Your mindset should be that everyone in your company is a member of the security team.  Train them on how to spot, avoid, and report suspicious attempts, giving them more “feet on the street” to alert the organization of a potential attack. 

Conclusion

As private equity firms continue to invest in specialty healthcare providers, the importance of robust cybersecurity practices cannot be overstated. The integration of new practices and locations brings a myriad of cybersecurity challenges that, if not properly addressed, can undermine the very growth and efficiency gains that private equity aims to achieve. By conducting comprehensive asset-based risk analyses, aligning cybersecurity practices with recognized frameworks like the NIST Cybersecurity Framework, implementing effective threat detection and response mechanisms, maintaining a sustainable vulnerability management strategy, and ensuring rigorous employee training, healthcare organizations can safeguard their operations, protect patient data, and maintain compliance with regulatory requirements. A proactive and well-structured approach to cybersecurity will not only protect the investment but also enhance the quality of care and trust in the healthcare services provided.

Steve Cagle
Steve Cagle
CEO and Board Member at Clearwater

Steve Cagle is the CEO and a board member of Clearwater, assuming the CEO position in May 2018. Mr. Cagle is responsible for leading Clearwater’s strategic growth plan and managing the company’s overall operations. He has extensive experience leading, innovating, and scaling healthcare and technology businesses, including guiding numerous companies through critical transformation periods.

Mr. Cagle serves as CMP Pharma’s executive chairman, where he has guided its transformation to an institutionally-owned specialty pharmaceutical company.

Mr. Cagle holds a Master of Business Administration from New York University’s Leonard N. Stern School of Business and a Bachelor of Science in finance from Rutgers Business School in New Brunswick, N.J.

Scott Dever Headshot copy
Scott Dever
Chief Information Officer at Gen4 Dental Partners

Scott Dever is a highly accomplished technology executive with over two decades of experience driving growth and innovation in the restaurant, healthcare, and dental industries. Currently serving as the Chief Information Officer (CIO) of Gen4 Dental Partners, he is responsible for leading the company's technology strategy and operations, overseeing data analytics, infrastructure, and cybersecurity.

Before joining Gen4 Dental Partners, he served as the Vice President of IT and Data Analytics at Specialty Dental Brands, where he played a crucial role in enhancing the company's technological capabilities to improve patient care and operational efficiency. Prior to that, Dever served as the Manager of IT Operations at HCA Healthcare, one of the largest healthcare providers in the United States.

As CIO of Gen4 Dental Partners, Dever is leading the company's digital transformation initiatives, which include best-in-class data and analytics platform, a comprehensive cybersecurity program, and patient-impacting technologies.