Data breaches are a result of cyberattacks, which have become rather common in the healthcare space lately. They can cause copious amounts of patient data to be compromised and stolen by unauthorized parties. With the surge of attacks happening on healthcare facilities, many will find their resources exhausted or ill-prepared. Those factors leave facilities such as hospitals vulnerable to further strikes.
Additionally, there may even be certain times when healthcare facilities are more susceptible to cyberattacks. One of these times can be hospital mergers, according to a recent report from The University of Texas at Dallas (UTD).
Research conducted by UTD doctoral student Nan Clement indicates “the period during and after hospital mergers and acquisitions is an especially vulnerable time for patient data when the chance of a cybersecurity breach more than doubles.” Clement researched different hospital merger records and archived data breach reporting from the DHS between the years 2010 to 2022.
There are a few factors as to why mergers pose a unique circumstance for cyber vulnerability:
- System Integration
- Distraction/Allocation of Resources
- Data Migration
- Integration of Third-Party Vendors and Partners
- Personnel Changes
System integration is when the merging parties integrate their IT systems and networks. This is a normal part of merging, however, there is an issue that arises from it: gaps in security. These gaps are created when the integration takes place, and they leave the systems or networks wide open to exploitation by hackers. This is even true when integrating third party vendors and partners, as these external factors can bring more angles for attack if unsecure.
In addition, mergers require significant amounts of time, resources and focus to manage the overall process. The redirection of resources creates less attention towards cybersecurity considerations, therefore leading to new chances for attacks to happen while defenses may be reduced. During the merger process, personnel can change, too. Newer staff will not be as familiar with the already existing security protocols and even weaknesses. This can cause lapses in judgement and poorly configured systems.
Then there is data migration, where merged hospitals transmit or consolidate data from separate systems. It can indirectly expose patient data or create vulnerabilities if things are not properly secured for the migration process.
With that, cybersecurity becomes a more critical priority during mergers. It requires the proper personnel to meet and collaborate with each other on different security practices. From there, staff can be trained in those practices to act if the situation calls for it. If the time comes for a merger, cybersecurity defenses must be kept up.
Jeff Wardon, Jr. is the assistant editor for the facilities market.