Healthcare GPs must take broader view of portfolio firms’ cyber risks: ACA’s Neale

  • OCR fines to healthcare organizations exceeded $17 mln in 2017
  • HITRUST adoption grows, but risks extend beyond framework
  • More firms diligence cybersecurity risks pre-deal versus post-deal

While healthcare investors are placing increasing emphasis on cybersecurity and privacy, the scope through which GPs assess risks facing their portfolio companies should be broadened, ACA Compliance Group’s Chad Neale says.

“Health records sold on the dark web are worth 20 times the value of a Social Security or credit-card number on the black market,” said Neale, a managing director within ACA’s cybersecurity and risk division.

Still, only about 25 percent of the firms that Neale has engaged with have what he described as “dynamic and responsive approaches” to risk management of their portfolio companies. The rest have a nascent program or an incomplete approach, he said.

Legislation and enforcement

That said, sponsors’ awareness has heightened around HIPAA, or the Health Insurance Portability and Accountability Act, Neale added.

That’s partly because the Office for Civil Rights within Health and Human Services has grown more aggressive with enforcement, frequently calling for changes in privacy practices and corrective actions.

The agency reported nine HIPAA settlement fines during 2017 totaling about $17 million, Neale noted. This year so far has produced two HIPAA fines for a combined $3.6 million.

Neale, for his part, works largely with PE firms investing in small-to-mid-sized companies offering tech-enabled services in the healthcare sector.

Regarding cybersecurity diligence, Neale said much of the focus to date has centered on the Health Information Trust Alliance. HITRUST provides a framework through which healthcare, technology and information-security companies can manage sensitive or regulated data.

While HITRUST adoption is growing, it’s often applied very narrowly to manage cyber risks, Neale said. HITRUST focuses on systems that are transmitting patient health information, or PHI, but risk from a cyber perspective is beyond that, he explained.

“What people need to do is take a more holistic approach,” Neale said, explaining that folks are less concerned with the other systems that are connected to PHI systems.

For instance, South Florida’s Memorial Healthcare Systems last year was hit with a $5.5 million HIPAA fine from the OCR after failing to manage and audit employee access and usage of patient information. The fine was the OCR’s largest of the year.

Other risks that fall outside the HITRUST framework are those relating to connected devices that are used to monitor health, Neale said.

Deal scrutiny

The second and third costliest fines last year involved stolen laptops containing patient data. The latter was a $2.5 million settlement with CardioNet, which according to Becker’s Healthcare was the first fine involving a wireless-health-services provider.

The cybersecurity and privacy woes that have faced industry giants like electronic-health-records company AllScripts and health insurer Aetna have also raised awareness among investors who are scouring the market for deals in the sector.

Allscripts, for example, is facing a class-action lawsuit following a system outage. Providers affected have said they were forced to cancel appointments because they couldn’t access patient records or electronically prescribe medications, reports said.

Neale cautioned that the consequences of a security breach — whether an OCR fine, brand damage and/or potential lawsuits — can be even more destructive for smaller providers.

“These portfolio companies sometimes don’t have the same type of wherewithal that the large assets do,” Neale said. “An incident can be devastation.”

The PE community seems to have taken notice.

Sponsors, which in healthcare have historically devoted more time and resources to diligencing IT infrastructure ahead of deals, are shifting more attention to cybersecurity.

Neale said about 60 percent or so of his engagements today are pre-deal as opposed to addressing gaps after the fact.

Action Item: Learn more about the ACA team:

Photo courtesy of posteriori/iStock/Getty Images