Cyberthreats: More about people than IT

Health care companies must train staff to be vigilant around security

Oct 03, 2019
Health care Mergers & acquisition Private equity Cyber due diligence

When cybersecurity fails in a health care setting, the results can range from potentially deadly to perversely funny.

“There was a case where a patient showed up to the hospital to take care of his sore throat and the staff says, well sir, you have a delinquent bill for your leg amputation,” says Anthony Catalano, a director in the risk advisory services practice at RSM US LLP.  “And the person clearly had both his legs.” The patient in this anecdote had unfortunately been the victim of identity theft and insurance fraud, two of the many forms of crime that can take place when health care IT systems are penetrated by bad actors.

Health care companies have everything that a hacker would be looking for,” says Colin Zarbough, a director in the cybersecurity due diligence practice at RSM US. “You have personal health information, which you can take to the dark net and monetize. You also have bank account routing numbers of people that still use older forms of payment. It's a challenging environment to lock down.”

Before investing in a health care company, private equity firms need to thoroughly understand the cybersecurity risks they may inherit. It’s more complicated than simply wanting to avoid investing in a company with weak controls. Beyond that, a deep understanding of these weaknesses allows for a stronger plan for value creation in the form of building better cyber processes and fortifications.

In some respects, awareness of cybersecurity threats in health care is behind that of other industries, like financial services, which have been under attack for much longer and have had more time to learn and make necessary improvements, notes Zarbough. In the meantime, hackers around the world have learned that many health care companies represent soft targets and have treasure troves of data to steal.

In some cases, health care companies have underinvested in cybersecurity for all the right reasons, so to speak. With a myopic focus on patient care and doctors’ access to information, in too many cases the systems and protocols in place are not on the cutting edge.

In addition to identity theft, many health care companies take payments in a variety of ways, including at the point of sale, and this can leave them vulnerable to a range of financial crimes. “So the hospital has to worry about keeping people alive, they're worried about keeping people's data safe, and now they're also worried about maintaining financial records in an appropriate and secure manner,” says Catalano.

In assessing a health care company’s cybersecurity health, it is important to focus first on people and process, not simply the IT infrastructure. After all, a world-class IT security system only works if the team using it is vigilantly compliant.

Medical identity theft:  Two forms

  • Consumers steal insurance information to cover benefits their insurance may not include, or because they have no insurance at all. For example, a drug dealer might use fraudulent insurance information to purchase prescription drugs.
  • Providers also may file fraudulent claims on an individual’s insurance to obtain reimbursement for procedures they never performed. They may do this to offset the cost of treating uninsured or underinsured clients.


“You need to take a granular look at the processes that your organization is acquiring,” says Catalano. “You're not just buying a chunk of health care. You're buying individual processes that may generate more or less revenue or create more or less risk. Where are the crown jewels of the organization? How do we protect that? And if you look at it very closely, you can start to back out and spend your next best security dollar as opposed to trying to apply a blanket security to the entire organization.”

Similarly, when merging two health care companies, it is important to make sure not only that the systems for cybersecurity are compatible, but that the culture of cyber awareness is instilled in both companies. “If you're evaluating two companies, and you're planning to put them together, the cultural posture to cybersecurity is a critical evaluation,” says Joseph Ring, a director and complex delivery lead at RSM US. “If it's a very lax culture, then it needs to be addressed.”

Experts also point out that health care companies also continue to face old fashioned security threats that have little to do with the internet, and everything to do with procedure and culture. Instead of hacking a network, bad actors frequently attempt fraud through social engineering, calling or visiting staff at the health care company and posing as someone else. Sometimes these criminals will go to great lengths to build up trust with staff in pursuit of controlled substances among other things.

In addition, hacking is made easier if a bad actor makes it onto the premises of the business. We've done physical penetration tests against hospitals,” says Zarbough, “and some fail immediately. We walk in, we're able to find a port, plug in and we're on their network. And once we're on their network, game over. That's all it really takes. Physical security is a huge part of health care.”