As CommonSpirit Health, formed by the merger of Dignity Health and Catholic Health Initiatives in 2019, continues to deal with the fallout from a ransomware attack earlier this month, security experts say such tie-ups and acquisitions make healthcare systems more vulnerable to security breaches.
M&A in healthcare “creates a huge risk” and a “huge opportunity for ransomware,” said Israel Barak, chief information security officer at Cybereason, a firm that helps companies defend against attacks.
Healthcare deals create a higher risk event for a cyberattack because systems typically have a weaker supply chain, Barak added.
Systems like CommonSpirit rely on a vast network of providers. The majority tend to be smaller organizations with a “very low level of sophistication” and they need to share a lot of data between them, Barak said.
"That leads to a situation where a threat that enters the network from one place can impact a very broad set of entities within that network," Barak said.
Firms that are merging or acquiring are ripe targets because executives tend to be focused on other priorities and may not be as vigilant, according to security experts.
“Anytime there’s chaos or uncertainty, that’s when attackers want to come in and launch their attacks,” said Aneeka Gupta, chief product officer at Rubrik, a data security firm whose clients include some of the biggest U.S. businesses.
The FBI has warned that ransomware attackers tend to target companies going through significant financial events, including mergers and acquisitions.
Fitch Ratings analysts said last week that CommonSpirit is in the middle of a sizable debt issuance.
For entities of this size, consolidating onto the same IT platform and systems doesn’t happen with the flip of a switch.
“Typically, it can take years for the IT teams to merge and or align on a particular set of technologies,” said Allie Mellen, a senior analyst of security and risk at Forrester, a research and advisory firm.
Even though some of CommonSpirit’s affiliated systems don’t show the same signs of an attack, it’s not necessarily indicative of different practices, Mellen said.
“They could have made design decisions to keep them fairly separate from an IT standpoint” as a potential defensive measure, Mellen said.
Due diligence needed before inking M&A deal
Evaluating risk needs to start before two companies integrate, experts say. Before inking a merger deal, companies need to apply the same critical lens to the cybersecurity risk of a deal as they would with other factors.
“Cyber due diligence should be part of the analysis along with the financial analysis, in terms of whether that creates risk to the organization by conducting M&A with a particular entity,” said John Riggi, who advises the American Hospital Association on cybersecurity and risk. He declined to comment directly on the incident at CommonSpirit Health.
Part of that work is also ensuring a company is not inheriting an attack, which can be difficult because companies like to hold cards close to the chest before a deal closes, according to Cybereason’s Barak.
Still, due diligence failures should serve as a warning, and a 2017 PayPal acquisition is the case study in what not do pre-acquisition, Barak said.
The digital payment company purchased TIO, a Canadian payment processing company, for $238 million in 2017. Just months after the closing, PayPal announced it was suspending TIO’s operations after finding a security vulnerability exposed the personal information of 1.6 million customers. The company disclosed in a 2017 annual report that it expects to write off $168 million through 2022, a substantial portion of the original acquisition pricetag.
Hotel chain Marriott unknowingly inherited a massive breach when it acquired Starwood Hotels & Resorts Worldwide in 2016. Two years later, Marriott said it learned that hackers had access to sensitive customer information for four years, exposing 500 million people. The hack did not affect Marriott properties. Hackers had breached Starwood’s reservation database. Marriott’s and Starwood’s reservation databases were kept separate for a period of time after the merger, according to reports.
It’s not necessarily the technology that’s the most difficult hurdle, it’s having the right people and processes in place, Gupta of Rubrik said.
Who’s responsible when something goes wrong? That’s a key question companies need to have worked out before an attack, Gupta said.
That may pose a challenge for healthcare firms that are braiding together the operations and management of legacy systems in different regions and states all across the country.
“Very often, organizations aren’t prepared. Maybe they have the technology in place but they haven’t even prepped their organizations for what are you going to do,” Gupta said.
A cyberattack, an extremely high pressure and crisis situation, should not be the first time certain leaders are interacting, Gupta said.
If companies don’t have these processes fine tuned, they run the risk of feeling greater pressure to pay the ransom attackers demand in exchange for regaining information or access to their systems.
“There’s just a ton of preparedness from the people, process and technology standpoint, that has to happen in order for organizations to stop paying the ransom,” Gupta said.
CommonSpirit is born from a megamerger
CommonSpirit is just three years old.
The system made its debut in 2019 following a megamerger between San Francisco-based Dignity Health and Colorado-based Catholic Health Initiatives.
The deal stitched together Dignity’s operations in the West with CHI’s systems located mostly in the Midwest and South.
The combination created one of the nation’s largest health systems, with a portfolio of 142 hospitals spanning 21 states and combined revenue of nearly $29 billion in 2019.
At the time, executives claimed CommonSpirit was created to solve pressing national health issues and needed greater size and scale to make a nationwide impact.
Currently, CommonSpirit has more than 25,000 physicians and clinicians and more than 2,200 care sites, according to its latest annual report. That doesn’t include all the providers who interact and share information with the system as independent providers.
Possibly providing a clue on the scope of the issue, Healthcare Dive found affiliated health systems in seven states had banners displayed on their websites warning of an ongoing IT issue. In all but one instance, those warnings were displayed on CHI sites.
Website warnings:
- CHI Saint Joseph Health - Kentucky
- CHI Health - Nebraska
- CHI Health - Iowa
- CHI St. Alexius Health - North Dakota
- CHI St. Gabriel’s Health - Minnesota
- CHI St. Luke’s - Texas
- CHI Baylor St. Luke’s - Texas
- Virginia Mason Franciscan Health - Washington
CommonSpirit seemed to confirm that the other half of its network, Dignity Health, was not experiencing the same disruption.
The system said in a recent statement that its Dignity Health-affiliated systems experienced no impact to clinic or patient care along with its TriHealth and Centura Health facilities.
With that admission and the online warnings, the attack seems to have been more acute for the CHI Health entities.
The attack comes at a difficult time for providers.
The pandemic’s effects are still weighing on hospital operators, CommonSpirit said of its 2022 financial results. Staffing shortages are pushing up expenses for pricier labor. The system posted a $1.8 billion loss for 2022.
However, Fitch Ratings said it does not expect to ding the system with a rating change as a result of the cyberattack. CommonSpirit has cybersecurity insurance, Fitch reports.