Why Mergers and Acquisitions Create Vulnerabilities

Updated on June 4, 2024

The trend of cyberattacks on healthcare organizations shows no signs of slowing down. Healthcare businesses handle a significant amount of sensitive patient records, financial data, and insurance information, which makes them appealing targets for criminals. In 2023, the healthcare industry reported the most expensive data breaches for the past thirteen years in a row.

Meanwhile, the healthcare industry faces a unique set of challenges when defending against cyber attacks. Many organizations still rely on a complex ecosystem of connected legacy systems and modern hyper-connected systems, and many of these legacy systems may not have adequate security measures in place. Each connected system provides a new potential entry point for attackers. A single security oversight or human error may allow access to the entire ecosystem. 

The CIA Triad

When developing policies designed to protect information, organizations should typically focus on three core principles: confidentiality, integrity, and availability. Together, we abbreviate these symbols as ‘CIA’ — and they form what we have come to know as the CIA Triad.

The three key elements of the triad and their applications within the healthcare industry are as follows:

  • Confidentiality: Protecting patient privacy by ensuring that sensitive data is secure. This involves practices such as implementing two-factor authentication and data encryption, as well as providing training for those handling sensitive information.
  • Integrity: Ensuring that data is accurate and trustworthy and that it isn’t tampered with. This involves implementing backup and recovery software, data encryption, and implementing the correct file permissions. 
  • Availability: Guarantee system uptime for patient care to make sure that data is readily accessible to professionals who need it. This involves implementing firewalls, installing updates when required, and disaster recovery. 

Shifting Priorities in M&A

Organizations are setting goals to move closer toward their strategic objectives and increase efficiency, and investors are becoming more bullish. As a result, healthcare executives expect mergers and acquisitions (M&A) in healthcare to rise in 2024

M&A helps to expand market research, enhances service offerings, and integrates patient management, billing, and electronic health record (EHR) systems. However, it also introduces potential interoperability challenges and security risks and increases the attack surface. 

Migrating data from one system to another can also introduce new problems, such as unauthorized access. These issues are especially prominent for healthcare organizations relying on legacy systems with poor security features.

Availability vs. Security

Getting the balance right between confidentiality, integrity, and availability is a fine art for any organization. For organizations outside of the healthcare industry, it often makes sense to sacrifice some availability — often in the form of system uptime — for better confidentiality and integrity. 

Below is the typical company triad balance:

A colorful triangle with a light on it

Description automatically generated with medium confidence

However, for healthcare organizations, especially hospitals, this is typically not the case. When someone in a hospital requires urgent care, the availability of patient records and vital monitoring equipment is a top priority. So, while the organization must uphold confidentiality and integrity, the priority leans heavily toward availability to maximize system uptime.

Below is the healthcare company triad balance:

A close up of a logo

Description automatically generated

Ransomware Attacks and Challenges 

The cost of data breaches within the healthcare industry has increased rapidly since the beginning of the COVID-19 pandemic. In 2023, the average breach in the industry cost $10.93 million — a 53.3% increase compared to 2020. Perhaps this heavy prioritization toward availability is part of the reason why so many attackers are finding opportunities to thwart healthcare organizations with ransomware attacks. 

The February cyberattack on Change Healthcare, the organization that operates the largest clearinghouse for medical claims in the US, illustrates the impact of ransomware attacks on healthcare organizations. 

The breach resulted from a combination of compromised login credentials and a Citrix remote access portal without two-factor authentication. Once inside, they encrypted the organization’s data, rendering it inaccessible. This prevented doctors across the US from filing claims and getting paid. 

The organization paid a ransom of $22 million for the attackers to decrypt the machines. Then, the attackers released the patients’ data on the dark web and requested more money, a tactic known as double extortion. As a result of this cyber attack, the organization estimates that a third of Americans had their sensitive health information leaked to the dark web.

This double extortion tactic used by the attackers highlights the difficult decisions that healthcare providers must make. When organizations prioritize maintaining availability so heavily, it can lead to complications. This helps to explain, in part, why healthcare organizations are such prime targets for attackers. 

Balancing Availability and Security

This recent ransomware attack showcases the increasing urgency for healthcare organizations to achieve a more appropriate balance between availability and security. 

The CIA triad offers a framework for healthcare organizations to strengthen their incident response plans against cyberattacks. In the case of a network security compromise, they can also use it as a tool to assess what went wrong. 

Effectively implementing all three standards strengthens an organization’s ability to defend against future cyberattacks.

Aaron S
Aaron Shaha
CISO at CyberMaxx

Aaron Shaha, CISO at CyberMaxx is a Strategic Information Security Executive and subject matter expert with a record of pioneering cyber security trends by developing novel security tools and techniques that align with corporate objectives. Known for building and leading strong teams that provide technology enabled business solutions for start-ups, industry leaders (Deloitte and its Fortune clients) and government agencies (NSA). Skilled at developing information security strategies and standards, leading threat detection and incident response teams to mitigate risk and communicating effectively across all levels of an organization.