There is an ever-increasing appetite for healthcare entities to engage in mergers or acquisitions. Mergers and acquisitions require that organizations engage in due diligence to determine if the deal is a good fit which will be based on a multitude of facts. A key factor is the strategic objective of the deal for the involve entities. The strategic objective will be a significant driver of the risk tolerance that will then drive the level of due diligence that organizations want to engage in. Knowledge is power. The leadership of the parties negotiating the business deal can decide how much risk they are willing to accept but they must have the right information to make an informed decision.
If an organization has a high tolerance for risk because the strategic objective is to make the deal happen regardless of the risk involved then organization may not care about the privacy and security risks they are inheriting. This may lead the entity to conduct minimal due diligence because any identified risk will be irrelevant to the strategic objective. However, all mergers and acquisitions need some level of due diligence. When it comes to assessing the risk related to privacy and security in these types of transactions, it can vary from superficial to in-depth. The less risk tolerant the organizations are the more in-depth it should be.
A big issue is knowing the right questions to ask and understanding the answers being provided. The initial step to determining the level of due diligence may involve helping senior leaders understand the level of risk that could be involved. This may involve conducting interviews with the individuals responsible for oversight of privacy and information security for both organizations. Chief Compliance, Privacy, and/or Information Security Officers for the acquiring organization may be able to help define the right questions to ask. Interviews with these individuals will be critical to learning about the privacy and security posture of the organization being acquired.
When evaluating privacy and information security, it will be helpful to understand the programs of the organizations involved in a merger or the organization being acquired. There are general questions that should be asked like:
- Are they currently under investigation by any enforcement agency for a privacy or information security incident?
- What are the specific privacy and security laws or regulations the organization must comply with such as HIPAA, Graham-Leach Bliley Act (GLBA), General Data Protection Regulations (GDPR), state specific laws such as the California Consumer Protection Act (CCPA), etc.
- Are there currently any data compromises under investigation that could result in a reportable breach?
- Has the organization conducted a comprehensive data inventory?
- What are the resources committed to privacy and security?
- Are senior leadership routinely updated on privacy and security issues.
There are questions specific to the information security program like:
- When was the organization’s last security risk assessment?
- Was a risk mitigation plan developed from the risk assessment?
- What is the status of the risk mitigation plan?
- How many security incidents has the organization had in the past year?
- Have they conducted an incident response exercise and if so, how recently?
- Do they have any special relationships that require specific information security practices such as a Department of Defense or state contracts?
- What existing information security policies does the organization have and when were they last updated?
- What training and education does the organization provide on information security?
There are also questions specific to privacy that should be addressed as well.
- How many breaches have been reported in the past year?
- Does the organization engage in proactive user access monitoring?
- Who is responsible for evaluating data compromises to determine if it is a breach?
- What metrics or dashboards are used to track privacy activities?
These lists are not exhaustive and many of the items on the lists could be exploded into multiple additional questions and areas of inquiry. The important factor is to ensure all appropriate questions are asked and there is appropriate validation of the answers. Looking at the actual metrics reported to senior leadership, evaluating the minutes of board or applicable committees, reviewing training material and records, etc. can increase the comfort level that any risks being inherited are known.
The senior leadership of organizations involved in the deal must ensure they have sufficient knowledge to make an informed decision about risk. There may be a decision to accept significant risk if there are other strategic reasons for making the deal happen. However, making a decision based on ignorance or a reckless disregard for engaging in an appropriate level of due diligence can lead to a business disaster. It could also lead to other consequences for the senior leaders and the Board of Directors. The cost of the deal should include any potential cost for defending and settling enforcement actions. Helping ensure the level of risk is understood will allow leaders to guide the organizations to decide whether to proceed with a deal or not.
Don’t enter a merger or acquisition blind to the significant potential risks that can be involved around privacy and information security.