A new report by Clearwater Security found that incident response and resilience was a major issue for private equity-owned healthcare companies, which need to improve consistency in cybersecurity governance in light of their high-growth business model.
The assessment found systemic gaps in security preparedness, as healthcare organizations need more documented policies for cybersecurity practices from provider practices to digital health companies. Private equity firms need to consider the cybersecurity risk profiles of companies when deciding whether to acquire them or merge them with other businesses, Clearwater writes.
Because private equity firms prioritize rapid growth of their portfolio companies, Clearwater found that health IT infrastructures and cybersecurity practices often fall behind. A cybersecurity incident can devalue a company overnight or rack up regulatory fines, a dangerous prospect for PE firms.
The report looked at consumer health companies, healthcare data and analytics companies and physician practices owned by private equity firms. It also evaluated pharma, biosciences and dental services companies.
Using HHS’ 405(d) Health Industry Cybersecurity Practices (HICP) framework, it evaluated companies’ written policies on things like vulnerability management, network management and IT asset management and compared them to how the practices were implemented.
Clearwater used data from assessments it has done of multiple private equity firms and their portfolio companies. John Santana, principal consultant with Clearwater Security, leads private equity services delivery and has been conducting the 405(d) assessments.
A principal finding of the report was that technical controls greatly exceeded organizations’ documented cybersecurity policies. Across all market segments, factoring in the quality of organizations’ written cybersecurity procedures tanked their average performance on cybersecurity controls.
Santana explained that documented policies are critical for an organization’s ability to respond quickly and effectively to a cybersecurity incident, which also affects the bottom line. Healthcare companies need to be able to turn to documented policies, especially if the organization has high staff turnover.
Clearwater found that incident response and resilience was a major issue for PE-owned healthcare companies. Companies tend to have one of three gaps: no documented policy, a flimsy policy, or a policy that is not routinely tested, Santana said. Ideally, healthcare companies should test their incident response plans frequently through tabletop exercises.
“Having that strong muscle allows you to be able to nip a bad event in the bud,” Santana said.
Few of these companies conduct regular tabletop exercises, leaving them unprepared for ransomware and system outage and recovery processes are often disorganized, the report found.
Another issue was data labeling and management. Many organizations failed to distinguish between the types of data they owned which affects their ability to place the right level of security around that type of data.
“A lot of organizations just struggle with the basics, where they just don't have the data classification in place,” Santana said. “Classifying the data and having all that in place allows you to right-size security controls.”
Clearwater found that identity and access management was most consistently implemented by organizations, though some may consider it the very basics of cybersecurity, like users having unique accounts and passwords and requiring multi-factor authentication.
While consumer health companies generally performed well across cybersecurity categories compared to other market segments, the report identifies that it falls short in its data classification policies and strong data handling procedures.
Santana said the consumer health companies assessed in the report often were not handling protected health information or personally identifiable information, which tends to make companies’ data handling standards more lax than provider organizations governed by the Health Insurance Portability and Accountability Act (HIPAA). Rather, the companies harbored manufacturing data, staffing data and intellectual property.
These categories should still be properly classified and managed, Santana said: “Just because they're not under the gun for HIPAA doesn't mean that the breach isn't catastrophic to the bottom line,” he explained.
Healthcare data and analytics companies that traffic in personal health information performed exceedingly well against other market segments. However, the companies, which generally operate in virtualized cloud environments, struggle to maintain consistent security controls across remote endpoints, like personal computers and remote workstations.
PE-owned provider organizations and specialty clinics scored well in data classification and handling, but performed worse in overall cybersecurity governance and incident response. Clearwater notes that PE firms need to pay special attention to IT infrastructure when operating high growth business models.
“Private equity-backed physician and specialty practice groups tend to have aggressive growth profiles leveraging merger and acquisition models,” the report says. “Rapid acquisition without IT and cybersecurity integrations results in environments with varied, decentralized technologies that collectively become a challenge to secure and costly to manage. By formally defining and resourcing IT and cybersecurity infrastructure integration in acquisition and due-diligence playbooks and strategies, this pitfall can be avoided.”