When cybersecurity fails in a health care setting, the results can range from potentially deadly to perversely funny.
“There was a case where a patient showed up to the hospital to take care of his sore throat and the staff says, well sir, you have a delinquent bill for your leg amputation,” says Anthony Catalano, a director in the risk advisory services practice at RSM US LLP. “And the person clearly had both his legs.” The patient in this anecdote had unfortunately been the victim of identity theft and insurance fraud, two of the many forms of crime that can take place when health care IT systems are penetrated by bad actors.
Health care companies have everything that a hacker would be looking for,” says Colin Zarbough, a director in the cybersecurity due diligence practice at RSM US. “You have personal health information, which you can take to the dark net and monetize. You also have bank account routing numbers of people that still use older forms of payment. It's a challenging environment to lock down.”
Before investing in a health care company, private equity firms need to thoroughly understand the cybersecurity risks they may inherit. It’s more complicated than simply wanting to avoid investing in a company with weak controls. Beyond that, a deep understanding of these weaknesses allows for a stronger plan for value creation in the form of building better cyber processes and fortifications.
In some respects, awareness of cybersecurity threats in health care is behind that of other industries, like financial services, which have been under attack for much longer and have had more time to learn and make necessary improvements, notes Zarbough. In the meantime, hackers around the world have learned that many health care companies represent soft targets and have treasure troves of data to steal.
In some cases, health care companies have underinvested in cybersecurity for all the right reasons, so to speak. With a myopic focus on patient care and doctors’ access to information, in too many cases the systems and protocols in place are not on the cutting edge.
In addition to identity theft, many health care companies take payments in a variety of ways, including at the point of sale, and this can leave them vulnerable to a range of financial crimes. “So the hospital has to worry about keeping people alive, they're worried about keeping people's data safe, and now they're also worried about maintaining financial records in an appropriate and secure manner,” says Catalano.
In assessing a health care company’s cybersecurity health, it is important to focus first on people and process, not simply the IT infrastructure. After all, a world-class IT security system only works if the team using it is vigilantly compliant.