Healthcare M&A Means Acquiring Legacy Threats

Fort Kent is a town of just over 4,000 residents abutting the Canadian border in rural Aroostook County, Maine. Fort Kent is famous for being the northernmost terminus of U.S. Route One, and infamous for its long, harsh winters. It is also home to Northern Maine Medical Center (NMMC), a 10-bed hospital that has seen services cut in an effort to lower operating costs.

Maine Public Radio recently reported from a public forum held in Fort Kent’s town hall after the hospital announced plans to close its maternity ward. Residents fear NMMC will soon close; and if it does it will be part of a growing trend. The American Hospital Association (AHA) says that 136 rural hospitals have closed since 2010, and according to a recent report by the Center for Healthcare Quality and Payment Reform (CHQPR), there are more than 600 hospitals across the country in danger of closing due to financial pressures. Of those, more than 200 are in immediate danger of shutting down. That means that hospital mergers and acquisitions (M&A) are likely to continue as a trend identified by Chief Healthcare Executive magazine, which reported there were more than 50 hospital M&As in 2022, with more expected this year.

The Good and Bad of Healthcare M&A

When larger hospitals acquire smaller–and especially rural–hospitals, it can have a positive effect on access to quality of care for the communities they serve. The AHA said that nearly 40% of hospitals added services after being acquired, and that operating efficiencies helped to lower costs by an average of 3.3% after an acquisition. But along with the benefits associated with healthcare M&As come security risks. Security Magazine reported that ransomware attacks on healthcare organizations have doubled since 2016, and because rural hospitals struggle with financial and staffing constraints, they are often more easily breached by threat actors.

In her testimony to the Senate Homeland Security & Government Affairs Committee during a hearing on cybersecurity threats to rural healthcare organizations, former North Country Hospital (Vermont) CIO/CISO Kate Pierce said, “[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.”

“[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.” — Kate Pierce, former CIO/CISO, North Country Hospital

The Lurking Threat of Acquired Risks

The dynamic nature of connected devices operating in a network complicates security and IT management issues. In healthcare, these challenges are magnified because patient safety is affected when operations are compromised. Some findings from our most recent Rise of the Machines, Enterprise of Things Adoption and Risk Report (keep your eyes peeled for our 2023 edition soon), show the dangers present when Internet of Things (IoT), Internet of Medical Things (IoMT), and operational technologies (OT) proliferate in a healthcare environment.:

• 86% of IoT and IoMT deployments have 10 or more FDA recalls.
• 15%-19% of connected devices run on obsolete/unsupported operating systems.
• 10%-15% of devices connected to the network  are unknown or unauthorized.

When a larger hospital makes an acquisition, it takes on the legacy cyber risks that previously beset the smaller one, including the technology assets used to run the facility and support staff in delivering care. In the best cases, hospitals and other healthcare delivery organizations (HDOs) rely on connected medical devices that are likely vulnerable to cyberattack. And once a piece of medical equipment is put in service, it may end up running with obsolete or unsupported software for years, or new vulnerabilities may be revealed that cannot be patched quickly due to patient safety concerns.

Even when a large hospital with “advanced cybersecurity hygiene” takes over the IT and security operations of a smaller hospital, it can take time to assess and mitigate the risks associated with integrating the new organization’s IT estate. And if any of the acquired systems were compromised prior to acquisition, a lurking, undetected threat actor may be able to use the smaller hospital’s IT infrastructure as a kind of Trojan horse from which to move laterally into the new owner’s systems, much like when hotelier Marriott was breached after acquiring Starwood Hotels in 2014.

Mitigate M&A Cybersecurity Risks

With these challenges in mind, a best practice approach to cybersecurity during an M&A event involves three critical steps:

1. Discover every asset in the network

You can’t protect what you can’t see, and so the key to addressing legacy threats and vulnerabilities inherited through the acquisition of other organizations’ technology estates is to be able to discover and classify every asset. That includes all the connected devices in operation: IoMT, IoT, OT, and more. This comprehensive asset inventory may also be useful to determine duplicate systems and reduce redundancies as both organizations in the M&A consolidate their assets.

The Ordr platform performs device discovery and classification quickly, and then monitors communications and tracks changes in real-time. Ordr goes beyond mere visibility to deliver deep, granular, classification of every device, from make, model, serial number, and operating system details. It also provides vital context about where a device is connected and what other systems it is communicating with. Ordr addresses one of the most common M&A challenges of overlapping IP schemas when two organizations are combined. This challenge prevents teams from easily establishing a single view of both environments and can slow risk assessment and integration efforts.

2. Identify your attack surface

The next step is identifying and measuring the attack surface from these assets. This can include devices with vulnerabilities, devices running outdated operating systems, or those with weak passwords. By baselining devices and their communications patterns, you can determine behavior that is outside of norm, that may be an indication of a compromised device.

From a deep, granular foundation of visibility, Ordr gives a complete view of the connected device attack surface and communications in real-time. Ordr identifies which devices are vulnerable or acting in a risky manner, and assigns a risk score based on the device’s known, determinative operational parameters.

3. Implement M&A cybersecurity best practices

Once you know what devices and risks you are inheriting as part of the acquisition, you can begin to implement M&A cybersecurity best practices. The most basic M&A cybersecurity best practices may be segmentation between the two networks, until access and convergence is complete. You will also want to identify or document key risks that need to be mitigated and addressed during or post acquisition.

Ordr dynamically automates the creation and enforcement of security policies. This means that organizations using the Ordr platform can quickly block attacks, quarantine compromised devices, segment vulnerable devices, and accelerate Zero Trust projects to proactively improve security.

Cybersecurity Due Diligence

Because hospitals and HDOs are under constant risk of attack from threat actors who care nothing of the danger their actions present to patients—and, in fact, use that danger to their advantage when carrying out ransomware attacks—there is no grace period when acquiring a smaller organization. It is imperative that the acquiring hospital include cybersecurity when conducting their due diligence. The network must be inventoried, assessed, and protected as quickly as possible, and Ordr helps get that done even before a contract is signed.

Furthermore, we operate on a philosophy of continuous improvement, expanding our integrations, leveraging the most up-to-date threat intelligence, and building our library of millions of device profiles to ensure Ordr is the most comprehensive, single source of connected device truth available. Check out our M&A solution brief for more details on how we help with cybersecurity due diligence.

*** This is a Security Bloggers Network syndicated blog from Ordr Blog - Ordr authored by Mike Spinney. Read the original post at: https://ordr.net/blog/healthcare-ma-means-acquiring-legacy-threats/