“When we think of data fraud, we think about stolen credit card information. One of the reasons we do that is because Visa, MasterCard, American Express do a phenomenal job at triangulating fraud,” says Jay Schulman, a principal with RSM US LLP. Typically, major credit card companies have a solid grasp on fraud. Once they suspect it, they immediately start an investigation. “We don't see that in health care.”
While a lost or stolen credit number is concerning, it is much worse to have one’s health care information compromised. “The thing about health care data is that it’s very valuable,” says Steve Grant, president of Objective Arts, Inc. “You can do a lot of things with a credit card, but if you have someone’s protected health information, you can impersonate them in a lot of different settings.” There is a multitude of ways to commit fraud with someone’s medical information. “My understanding is that the health care record is about 10 times more valuable than the credit card,” Grant adds.
“That’s what makes a health care hack so attractive,” says Sara Shanti, an attorney at McGuireWoods LLP. Credit card and banking organizations have become more difficult for a hacker to breach, while health care organizations are still developing the security mechanisms to monitor any sort of breach. “This is a major concern for potential investors,” says Shanti. “A serious breach could have significant impacts on the value of a company.”
Grants adds, “If you look at the postmortem of some big hacks—you look at what happened with Anthem or Primera or most recently Equifax—you can see the potentially devastating effects of a breach…. For Equifax, careers were ruined, and the stock price plunged.”
What truly makes a health care data breach devastating to the consumer is that, unlike money that can simply be returned, confidential health information such as HIV status, cancer diagnosis, diabetes, mental disorders, addictions etc. can be divulged, and then it’s impossible “to put that genie back in the bottle,” says Shanti. Once certain types of information are out, there’s no way to return to an anonymous state or make it right. Worse yet, when this type of information is leaked it creates an opportunity for blackmail or exploitation.
Due diligence can help avoid a major risk
Understandably, a hack undermines confidence, and that could devastate a business. What’s most alarming is that some breaches aren’t discovered for a long period of time. Equifax took nearly nine months to discover its breach. Anthem Inc., took less time, but according to Schulman, the discovery was totally haphazard.
The best way to ensure your security and privacy controls are strong and working properly is to follow the data, says Jay Schulman. A good tip is to “look at the data that poses the greatest risk. In this case, it’s protected health information. Follow that information from the point in time which information enters the company to the point in time which it leaves or gets destroyed.” The integrity of that full life cycle is important and can show you where there are holes or security issues.
For an investor, it’s important to make sure some due diligence is performed around cybersecurity. “It’s just good practice to know the state of your target’s security and privacy governance,” says Schulman. “It’s a big risk to acquire a company, and then discover that a breach happened two years ago. You’ve now bought into that breach.” Purchasing a company with privacy concerns can also open you up to a broad government investigation.
“If there’s any fraud attached to data privacy or a security incident, or they uncover other fraud while the information is being accessed or compromised,” says Shanti, “you’ve suddenly opened the door to a much bigger compliance issue, with possible civil and criminal penalties.”
Admitting you might not have all the answers
Looking for a cybersecurity vendor is not always in an investor’s wheelhouse. “The first thing I would want to see,” says Grant, “is a firm that’s either on, or going to, Amazon Web Services (AWS), Google Cloud or Azure. Amazon, for example, has 15 dedicated security services.” A company should be proactive in using multiple security services—and if Amazon, for example, offers access to these security services, then that provides an inexpensive, fast and easy method to reach compliance.
Relying on these tech giants to manage and troubleshoot cyber risk is good business. “For many companies, outside of the biggest, probably the Fortune 25, if you look at the talent you can acquire to run an exchange server in-house, you couldn’t possibly compete with the quality that you get at Microsoft, for example, with Office 365,” says Schulman. “They see every hack every day, and they’re constantly working on improving that.”
Recognizing the red flags
Identifying the threat soon after it occurs is essential to managing a hack head-on. One trend is monitoring the behavior and the flow of data through servers. If someone has infiltrated a system and they’re downloading tons and tons of data, this is a clear sign that something is going wrong. Another area to be aware of is old data systems. These can create problems, because older systems might not have patches that deal with current security issues.
But according to RSM’s Schulman, there is opportunity in old systems to go in and revitalize their IT infrastructure to make the company more secure and therefore more valuable. “At RSM, when I perform due diligence, I see a lot of companies who need help in the area of security, that might be doing things wrong. But often the fix or improvement is not an incredibly expensive proposition. I get concerned when things are locked up—when I can’t access the data. And the security program was written by someone in IT 17 years ago and that person is about to retire.”
The key is to understand what you’re walking into. “If you are walking into a security disaster, I don’t think that’s a deal breaker, as long as you have a road map to move forward from that,” says Schulman.
Opportunities and trends
All panel experts agreed that the revolution in health care is in shared medical data, where two different hospitals can see a patient’s complete medical records even if you haven’t had all the procedures done at that one hospital. This is where block chain technology (a shared database or ledger system) can help, especially in areas such as claims processing. “Streamlining processes in a secure and accurate way is good for the consumer, for the insurers, and even better for the health care systems and investors managing it all,” closes Shulman.
To learn more about the McGuireWoods and RSM US Annual Health Care and Life Sciences Private Equity and Finance Conference, please visit the conference website.
For more health care and life sciences industry insights, read RSM’s quarterly industry spotlights developed in partnership with Pitchbook.