Protecting the privacy & security of your patient’s health information.

BLOG POST: Healthcare Security Due Diligence for Mergers

Nadia Fahim-Koster is a Director in our IT Risk Management division on LinkedIn. Check her out on LinkedIn.

May 25, 2017

Mergers and acquisitions of different healthcare organizations are becoming quite common nowadays. In fact, according to the Healthcare Financial Management magazine, merger activity in the healthcare industry rose “108 percent year over year in the first quarter of 2015”. Some of the many reasons include modifications in the government programs like Affordable Care Act, advances in Accountable Care Organization (ACO) models, and innovations in healthcare IT. Although these mergers may be profitable, they introduce many challenges from an IT security and compliance standpoint. This is due, in part, to the exposure of information and systems which now must exist across organizational boundaries. These challenges cause healthcare organizations to be vulnerable, in an already turbulent cyber threat landscape where they are the prime targets.

Getting the organization ready to face these challenges requires performing security and compliance due diligence early on. The aim is not just to prepare these organizations, but also to develop a continuous improvement program to keep enhancing the overall security posture. The recommended steps below are, therefore, divided into phases starting from what should be done in the first sixty days of the merger to 180 days and beyond.

1.     The First 60 Days

The first 60 days should center on identifying and addressing security and compliance risks that exist in the current environment. Identifying these risks early on gives the organization an opportunity to mitigate them before any attacker can take advantage of them. Some of the recommended activities that should be performed during this time include:

  • Conducting ethical hacking and penetration tests to discover any technical weaknesses
  • Performing gap analysis against the policies or security frameworks such as HITRUST to identify any inconsistencies that could introduce meaningful risk exposure to the organization
  • Updating the inventory of existing security tools and solutions
  • Reviewing any prior risk analysis and compliance documentation
  • Establishing a communication and governance model.

 2.     From 60 to 180 Days

After identifying the existing risks in the current environment, the next stage is to create formalized action plans to continue with the integration of security and compliance personnel, processes, and technologies. During this phase, we recommend

  • Developing a formal security and compliance integration strategy and a roadmap to define the approach that would be considered
  • Executing the communication plan as integration projects start to kick-off
  • Remediating any quick wins identified including technical vulnerabilities
  • Performing a resource and skillset analysis to develop a plan to allocate relevant resources to corrective actions and implementation efforts     
  • Identifying in-flight security and compliance projects
  • Integrating and updating policies 
  • Consolidating corrective action plans and regulatory documentation.

 3.     180 Days and Beyond

Now that all the initial groundwork is complete, we can move on with the execution of the integration strategy identified and working towards continuously improving security controls across a broad range of security and compliance areas. Some of these areas are:

  • Access controls
  • Endpoint encryption
  • Incident and breach response
  • Education, training, and awareness

Security and compliance teams should also look for ways to consolidate compliance activities across legacy and newly acquired entities to ensure consistency across the enterprise. 

If you found this post interesting, then please download a copy of Meditology’s Healthcare Security Due Diligence for Mergers white paper at the following link ( for further reading. Meditology Services offers assessment, penetration testing, vulnerability analysis, and program development services to help healthcare organizations and their business associates exceed compliance requirements and ensure the security of their data and platforms during mergers. You can learn more about our offerings and review our thought-leading publications at

Continue reading on LinkedIn