As Consolidation in Healthcare Continues to Grow, so Do Cybersecurity Risks

Healthcare consolidation continues to grow in response to escalating costs, regulations, and COVID 

Over the last five years, we have seen a significant shift in the healthcare space. Small medical and specialty healthcare practices have opted to sell their businesses to large corporations, investors, and hospital systems. Between 2019 and 2021, nearly 21,000 physician practices were acquired by hospitals and corporate entities. [1] This shift has been accredited to a variety of different factors, such as:

• The increased cost of maintaining and difficulty staffing a small practice, [2]
• Rising regulatory requirements and enforcement actions for non-compliance, and [3]
• COVID-19 pandemic resulting in a need for remote telehealth capabilities to address changes in patient care.

While COVID has become manageable, healthcare consolidation is likely to continue and may fuel concerns for privacy and safety that drive further increases in regulations. [4]

Signs of health data exposure risk to look out for

Regardless of the reasoning, as healthcare consolidation continues to expand to new levels across the country, for providers, patient care needs to remain their primary focus. While new locations and new patients add new revenue streams and opportunities to expand into new markets, they also add to the risks that may be lurking with each new practice added. Common weaknesses we see amongst small or single-practitioner medical practices include:

• Old technology - Many small businesses do not have the resources or technology expertise to upgrade their systems and applications to the latest technology, leaving them dependent on unpatched, vulnerable systems. They may still rely on analog technologies such as fax machines for transmitting patient data.
• Outdated or limited policies - Smaller businesses often run with informal policies, as it was historically easy to communicate processes internally. This makes the onboarding process difficult for the corporation as new policies need to be developed and implemented.
• Historical data and physical paperwork - Small practices, especially those that have been around for 30+ years, have a vast amount of historical data and hard-copy documents that are stored within the practice. When acquired, this data is now the responsibility of the corporation.

Complexity (and dangers) of identifying cybersecurity gaps post-acquisition

When considering how security could be done wrong in a medical practice, a quote from Anna Karenina comes to mind:

The following case study highlights how varied, and sometimes unexpected, the security challenges of healthcare consolidation can be. Ankura worked with a national specialty care provider that acquired more than 50 individual practices in the span of 10 years. The company developed standard policies and IT security controls that were distributed to all of their locations nationally to help ensure consistent, compliant security and data protection safeguards would be in place.

Upon evaluation of selected sites, Ankura identified both legacy security gaps that had existed prior to the acquisition as well as new weaknesses that resulted from flawed, post-acquisition integration processes, such as:

• Multiple EHRs - several practices straddled their old EHR (electronic health record system) and the company’s EHR. New patients were entered into the new system, but historical patient data was in the old system. In addition, the process for managing access to the old EHR was still under the small practice- so IT was not able to ensure proper access controls were enforced.
• Physical security practices - In certain cases, employees at the small practices opted to remove physical controls that the corporation put in place during onboarding. This includes the removal of screen blockers and moving workstations to areas where they were in clear view of patients. In addition, there were varying degrees of security for hard copy data- some sites stored data in locked file cabinets, while others left hard copy data on unsecured shelves in plain view.
• Access management differences - While the corporate IT team was in charge of device management and configuration, there were discrepancies with administrative rights across the sites. In some cases, users were able to turn off key controls like password protection and computer lock-out times. In other cases, physicians were able to grant users administrative access to systems and/or applications used across the site.
• Training gaps - Though the corporation had an initial onboarding training for newly acquired sites, the users at each site demonstrated varying levels of knowledge of company policies and security best practices. This included differences in understanding of how to send encrypted emails, where sensitive data should be stored, and how to report security incidents.

These inconsistencies between sites led to increased concern that the company could be vulnerable to security incidents. How were they to manage so many sites and ensure centralized processes were in place? Failure to manage even one site could lead to massive regulatory repercussions.

As an example, an entity of St. Joseph’s Hospital and Medical Center (SJHMC) violated the HIPAA Right of Access rule, which lead to a fine of $160,000.00. [5] In addition to the monetary fines, SJHMC was required to develop and implement a corrective action plan, including two years of monitoring. While the entity, Dignity Health, was responsible for the lack of compliance, SJHMC was under fire as the owner of the entity. 

A strategic approach to identifying and managing risks in healthcare acquisitions

As a complex healthcare company or multi-facility hospital system, there are many options to consider for improving oversight and management across multiple locations and newly acquired entities. Below, are our top tips:

• Pre-Acquisition- Prior to adding a new practice to the organization’s portfolio, it is critical that the team understands the added risks that will be taken. To do so, the corporation must assess the practice for IT and security gaps. This will aid in developing a customized onboarding roadmap and budget and allocating the proper resources for continuous management of the site. The core cyber areas to review as part of the acquisition process are:
  • Existing IT and applications portfolio
  • IT and cybersecurity service provider contracts
  • Existing HIPAA policies
  • Historical data and retained hard copy files
  • Physical security controls
  • Past security and compliance events
• Onboarding- The onboarding process for an entity is a critical time for both the corporation and the small practice. It is an opportunity for the new employees to learn about the corporation and the upcoming changes to expect. It is also an opportunity for the corporation to learn about current processes in place at the site.
  • Deploy continuous training - Rather than an electronic policy acknowledgment, it is advised that corporations provide custom training to employees that focus on the core elements of the company policies. This should include specific guidance on how assets and data should be managed at the site. In addition, the corporation should take time on-site and remotely to ensure each department has been trained on company policies. This should include open dialogue about the current processes in place at the site and changes that will need to be made.
  • Migrate to centralized IT and applications - While there may be a need for a transition period, it is critical that IT gains oversight into any historical platforms so the security controls can be enforced.
  •  Reinforce the benefits of the changes - There are many benefits for the practitioners and patients when a small practice is acquired by a corporation or hospital. This could mean an increase in resources for patient care, upgraded IT platforms that provide ease of use for the practitioner, and additional operational support for back-office functions. It is important to highlight these benefits and explain the “why” when discussing operational changes that need to be made. 
• Ongoing management- while a corporation can not be at every site at all times, it is critical to develop a program that allows for ongoing management of the different entities.
  • Assign an on-site designee - This could be a new employee or someone with historical knowledge of the site. Assigning someone with the responsibility to enforce company policies and report any issues will keep the line of communication open between the site and the corporation.
  • Monitor security controls - The corporate IT team should ensure that the proper monitoring controls are in place to identify changes to access and system configuration. In addition, routine vulnerability scans, access reviews, and configuration reviews will ensure compliance with company policies.
  • Conduct routine site visits – We advise hosting corporate visits to each new site at least quarterly. This is not only to ensure site compliance but to allow site employees the opportunity to speak with a corporate representative on any concerns with the acquisition and culture.
  • Assess risk levels - Performing risk assessments at the site level will provide the corporation with insight across all roles and functions to understand how ePHI (electronic protected health information) is managed. This will also identify differences across sites so processes can be standardized as needed.

The task of managing a large corporation of healthcare practices is not an easy one. However, by developing a program with the components above, corporations will gain more insight into their organization, identify risks, and proactively address gaps before they are exploited. 

Footnotes 

[1] https://www.fiercehealthcare.com/practices/practice-consolidation-private-practice-departures-skyrocketed-during-covid-19, Hospitals, corporations own nearly half of medical practices, spurred by COVID-19 disruption: report, Dave Muoio, Jun 29, 2021

[2] The Rising Cost of Operating a Medical Practice, Melissa Young, MD, Nov 7, 2016, https://www.physicianspractice.com/view/rising-cost-operating-medical-practice

[3] HIPAA Violation Fines And Penalties: What Are They In 2020?, HIPAA Security Suite, March 25, 2020, https://hipaasecuritysuite.com/hipaa-violation-fines-and-penalties-what-are-they-in-2020/ [4] Biden-Harris Administration Strengthens Oversight of Nation’s Poorest-Performing Nursing Homes, Centers for Medicare & Medicaid Services, Oct 21, 2022, https://www.cms.gov/newsroom/press-releases/biden-harris-administration-strengthens-oversight-nations-poorest-performing-nursing-homes

[5] Dignity Health to Pay OCR $160K for HIPAA Right of Access Failure, Jessica Davis, Oct 8, 2020, https://healthitsecurity.com/news/dignity-health-to-pay-ocr-160k-for-hipaa-right-of-access-failure

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.