HITRUST & Data Security - Part 2 of 3
This is the second blog in a three-part series (Part 1, Part 3) discussing the Health Information Trust Alliance (HITRUST) certification, why it is essential for any business that stores and processes personal health information, and how a cloud-native data security solution is essential for achieving and maintaining certification. The first blog provided an overview of the certification and explained the need for a data security platform. This blog discusses why HITRUST certification substantially reduces the risk to those acquiring healthcare and healthcare tech companies.
Cybersecurity as a New Playbook
Record high inflation, rising interest rates, and a potential recession have slowed merger and acquisition activity this year compared to the buying frenzy of 2021. Q3 2022 had the third-lowest global M&A deal volume since 2017. While deal-making has slowed, it has created greater scrutiny regarding an organization's profitability, growth, and total addressable market.
During the last decade, I have worked on over twenty acquisitions of software companies. During that time, I have tweaked my due diligence and integration playbooks to identify risks before closing and ensure a smooth transition post-close. Playbooks have long been used to streamline pre and post-close activities.
In recent years, I changed my playbooks so that they focused substantial time on reviewing a company's overall cybersecurity posture as it poses one of the most significant risks to a deal. These changes include everything from producing a comprehensive risk profile to reviewing patch management on firewalls, evaluating access controls, and testing backups of critical systems.
Security – Prove IT
Security is now a critical component in the M&A due diligence process for IT and Security leaders. Years ago, leaders spent significant time reviewing inventory within data centers, org charts, and software spending to look for synergies to offset deal costs. Software licensing, in particular, was a major focus, representing a significant cost risk. Specifically, determining if an organization was licensed correctly and, if not, what would be the cost to bring them into compliance and remain compliant moving forward. While these are still table stakes in M&A due diligence, the risk from poor cybersecurity practices and hygiene could be far more costly. For example, when Verizon acquired Yahoo, Yahoo disclosed a data breach during the due diligence process, which forced Verizon to change the deal model and lower the acquisition price by $350 million.
It's standard during due diligence to inquire if an organization has had a known breach, but no executive wants to close a deal only to find weeks or months later that an unknown breach had occurred. This is especially true for those in the healthcare industry. For healthcare and healthcare tech organizations, a covered entity must notify the Secretary of the United States Department of Health and Human Services of a breach that affects 500 or more individuals without unreasonable delay and in no case later than 60 calendar days from the discovery. That type of breach results in public disclosure with potential fines and increases work on an often-over-burdened IT and security team. As bad as all that sounds, the erosion of trust among current and potential clients is a far greater cost.
HITRUST Certification Reduces M&A Risk
For healthcare and healthcare tech companies, HITRUST certification is the gold standard in information security. In some ways, it is the Missouri of compliance certifications. The "Show Me State" of HITRUST allows for a faster review of an organization's cybersecurity posture. It's far deeper in scope and more extensive than a SOC-2 certification. And, if an organization is in the second year or more of compliance, it shows an ongoing deep commitment to information and security from both a policy and a leadership standpoint. Having HITRUST certification reduces the potential risk of discovering significant cybersecurity issues post-close. As an acquirer, if I see that an organization has HITRUST certification, it speeds up the cybersecurity review activities and more quickly validates the milestones within the playbook.
As healthcare continues to be a high target for ransomware, companies will continue to invest in securing patient data. However, they should also invest in certifications that verify patient data is adequately protected. Therefore, it is inevitable that HITRUST adoption will expand. US healthcare is a massive industry, with healthcare spending accounting for over 19.7% of the US GDP in 2020. That immense market size continues to court private investors. In recent years, private equity firms have spent billions acquiring healthcare and healthtech companies to disrupt that industry and gain more control of one of the largest markets. The cost and time associated with those acquisitions most likely could have been reduced had purchased companies previously obtained HITRUST certification. As investment in the space grows, pressure will continue to mount to lower the overall security risk.