AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
The Need for HIPAA Risk Analysis in M&A Due Diligence
Jon Moore, Clearwater, and Iliana Peters, Polsinelli PC, discuss cyber risk as part of the due diligence process. Specifically, the podcast covers what steps an acquiring entity should take to limit its exposure to potential liabilities and reduce risk; ongoing management of risk and best practices; and risk analysis trends as a component of representations and warranties insurance. Sponsored by Clearwater.
New Health Law Daily Podcast Coming in January 2025
Coming in January 2025, AHLA’s popular Health Law Daily email newsletter will also be available as a daily podcast, exclusively for AHLA Premium members. Listen to all the current health law news from the major media outlets on this new podcast! Subscribe Now
Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for hospitals, health systems, and their business associates. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support and manage services provided by our deep team of information security and compliance experts. For more information, visit clearwater compliance.com.
Speaker 2:Hello, I'm John Moore, chief Risk Officer at Clearwater, and I am joined today by Eliana Peters. Eliana, would you like to introduce yourself?
Speaker 3:Yeah, thanks, John. Hi, everyone. I'm Eliana Peters. I'm a shareholder at, at Polson PC in the Washington DC office. Um, Polsinelli is an AmLaw 100 law firm, and, um, I joined Polsinelli after many years at HHS Office for Civil Rights, which is the, uh, agency that enforces HIPAA most recently as the acting deputy director John.
Speaker 2:Sure. So, Eliana, as you know, I love talking with you about assorted topics that have to do with healthcare and cybersecurity. So I got a, another good one for us today. Today I'd like to talk with you about the need for HIPAA risk analysis and mergers and acquisition due diligence and, and just cybersecurity in general and, and, uh, m and a due diligence. So how does that sound
Speaker 3:Such a timely topic? I mean, I think this is really coming up for a lot of entities these days,
Speaker 2:So, so let's, let's get started. So first I'd like to, I think about, so with so many data breaches, uh, and, and oftentimes these data breaches going undetected for months or even years at a time, how should an organization that may be acquiring a healthcare entity, uh, be thinking about cyber risk as part of their due diligence process?
Speaker 3:Yeah, it's a really, really important question, and I think that that, that, that is, um, that is the first part of the question, is that, you know, many entities, healthcare otherwise aren't really even sort of considering this as part of their due diligence. So, number one, we really do need to start talking about cyber risk and other types of data security risks as part of our, uh, enterprise landscape for purposes of due diligence. Because the last thing you wanna do is either sell, um, uh, uh, your business to an entity with certain reps and warranties that you then have an issue with or buy a business that has, uh, you know, an, an unrecognized issue. Um, and so I think a, again, this should be part of your due diligence questions as the buyer part of your, um, you know, consideration of reps and warranties as a seller, really thinking in a robust way about the data security protections in place at the entity that is the target, whether you're the buyer or the seller, and walking through state law compliance concerns with regard to data privacy and security, federal law compliance concerns related to data security. And then of course, if there are international app implications as well for that particular business, ensuring that you have that covered too.
Speaker 2:Yeah, I think you, you, you nailed it Again, I, I think considering, um, cybersecurity and compliance is part of your due diligence is, is a, is the first step, right? And, and then within that, once I've done that, I need to think about, okay, what, what are the, the questions or the areas with which I'm trying to get some level of confidence about through the diligence process? And you, you named multiple of those. Uh, you know, in the compliance space, there's, well, are we HIPAA-compliant? Are we compliant with state regulations or international regulations that, uh, might be in, in play in the transaction? And then also just from a general cybersecurity perspective, how much risk am I, am I potentially purchasing here? Uh, you know, what is the cost gonna be associated with remediation if there's issues associated with that or a potential breach? So that, you know, there's a lot of different, I think, uh, once you start to unpack, uh, cyber risk and cybersecurity due diligence and compliance in this space, there's a lot of questions that an organization might wanna consider and try to get some level of comfort about, uh, as part of the purchase process. Uh, so what are the ramifications in, in your experience or, or for not making cyber risk due diligence a priority? So what happens if you, if I don't do this, if I, if I just assume I'll work it out later,
Speaker 3:Right,<laugh>? Uh, probably, uh, not the best approach. Um, but for, you know, for the buyer, obviously the ramifications are essentially buying lawsuit or a regulatory investigation of some kind, um, with all of the different, uh, implications they're in. So if you don't have a good handle on, um, a breach incident, for example, at, at the entity that you're acquiring and you acquire that entity, and then you have a, you know, class action litigation as a result, um, then obviously you're on the hook for that, arguably, um, similarly, depending on, on, you know, the, the transaction, but similarly with the re regulator investigations, those, those investigations many times takes take years. Um, and so you are coming into an investigation many times, you know, part of the way through, you may not have a good handle on it, there may be turnover in staff, and you have to continue to respond to, uh, government requests for information that could result in settlements or civil money penalties of some kind could potentially affect your ability to do business over the long term. So, you know, from a buyer perspective, this is, this is real risk. Um, and it's just increasing. I mean, the, the number of state law class actions, um, uh, are, are increasing particularly because of the increased state responsibilities in, in states like California and others. Um, and then for the seller, obviously, you know, if you, if you make a representation and warranty that you don't have, um, unresolved breach issues or that you are in compliance with state, federal or, or international requirements related to data security, and that's found later to be not true, um, then obviously you're looking at, um, litigation related to the transaction, and that could really severely impact any, um, you know, profit that you've made, um, in, in terms of selling the business, um, and could ultimately really damage your reputation moving forward as a business or, um, you know, in any new, uh, enterprises that you're undertaking as well. So again, it's, it's just a, a huge minefield for both buyers and sellers.
Speaker 2:Brian and I, I think, uh, a lot of organizations underestimate those costs. Uh, the latest study I saw that, uh, breach in healthcare now costs on an average in excess of 7 million, which is, you know, pretty significant and can be much larger than that depending on the, the nature of the organization and the, the size of the breach. But, uh, you know, breaking down those costs, you, I think you, you hit most of those. There's all the litigation costs, the impact on your brand, uh, you know, fines, penalties, lost, productivity associated, uh, with, with responding to the, uh, breaches, the fact that these things can go on and usually do, you know, go on for years with all the litigation and, and, uh, uh, enforcement actions that can result from them, uh, you know, it's, it can, it can be quite a financial impact on, on both sides of the transaction. Uh, as you explained. One of the other things that, you know, that we tend to see is in, particularly in, uh, when it, the transaction involves a healthcare IT company, and specifically ones that are, you have a software product as, as one of the key assets within the, OR software products as, as part of the, uh, key assets within the transaction is that, uh, a lot of times people underestimate if security hasn't been billed into some of these products from, from the ground up, if you will, the costs associated with them, uh, then coming back and trying to secure those products if they haven't already, uh, been secured can be quite sub substantive and can even, uh, you know, force organizations to completely restart from scratch and creating some of these products. So that's another area that, that, uh, you know, oftentimes, uh, we're seeing people not completely thinking through, uh, during transactions. Um, so what steps would a, should an acquiring entity take to limit their exposure, uh, to potential liabilities and reduce the risk?
Speaker 3:Right. Um, I think, you know, it's always good to have help, um, that understands the risk. So if you have counsel, um, as part of the transaction that, that maybe is fantastic deal counsel, but isn't in the weeds on a lot of these data privacy and security issues, it may help to get, get some, um, some backup, um, and really talk through these issues. Um, it's always about asking the questions from my perspective, you know, really understanding what questions to ask the target, and making sure that you're getting good answers and good documentation and, and, you know, just really putting the time in to get the documentation and to review it to make sure that you understand, um, the scope of, you know, any, um, uh, it documentation that may include an assessment of risks, um, or, uh, controls that that entity has put in place documentation regarding breaches and security incidents, any litigation and regulatory investigations. You know, just, it's, it's about making sure you have a robust diligence process to understand your risks and to the extent you need to negotiating, um, you know, a remedy for those identified risks. If you identify problems with the target, that doesn't mean that they're not necessarily still a great target, you just wanna prepare. Um, and maybe that's with an escrow or some other, um, conditions on closing or, you know, whatever the steps that you decide you need to take to work with that entity to get them into a compliant position or to anticipate any fallout.
Speaker 2:I, for us, you know, when I talk to organizations, uh, looking at or considering doing, uh, due diligence, cyber risk, or typically in, in our case, hipaa, uh, compliance, due diligence, I talk about sort of four elements that we're trying to balance. So one, the first area is what's the objective of, of the diligence? And, and interestingly, sometimes folks need sort of guidance thinking about what the objective is, what is it we're trying to get some level of comfort about, uh, through the diligence itself. Uh, the next factor is time. You know, depending on where you are within that transaction, life cycle is going to dictate how much time you have to, to do any sort of review. Uh, the next is access, uh, because again, you know, depending on where we are in that light transaction life cycle, it's gonna determine how much access we actually have to the target in order to perform any type of diligence. And the next is cost, which is, of course, always a factor as well. So, you know, from from our perspective, what we're typically, uh, you know, asking people to think about is to consider, um, cyber risk due diligence early on in the transaction so that we can work through and think about, uh, how to, to how that can unfold during the transaction itself. So unfortunately, a lot of times, you know, when we're brought in the, oftentimes the, the letter of intent's already been signed or is about to be signed, and so that you're under a, the gun from a, from a, you know, you got 30 days or 45 days to due diligence and you have, um, you know, limited access. Maybe you can do some document discovery or, or maybe an interview, but then only for an hour with the CISO who doesn't necessarily have, you know, a lot of the details, uh, depending on the size of the organization on, uh, what's going on. So there's all these, those certain factors that, that we're always trying to balance and help folks understand, um, as we're walking through, uh, the process of, of due diligence and, and trying to help them gain, you know, an appropriate level of comfort in those, uh, uh, in those areas. So that's, that's kind of how we, uh, tend to talk to people, uh, about, about thinking through, um, diligence and appropriate, uh, sort of approach to diligence during the transaction, um, from a cyber risk perspective. So, um, if, if you were going to, if you were going to, uh, or you got in response to, uh, you know, discovery of, of documentation and you received an organization's security risk analysis, what are the kind of things that you would be looking for if you were examining that, that risk analysis and considering it from a diligence perspective?
Speaker 3:Yeah, John, I think, you know, I, I, I think you're, you're hitting, you're hitting the high points here, so I, I appreciate the conversation and the questions, and I think this is a really important one because the, the first thing<laugh>, um, is, is that you get a risk analysis. So, you know, just to back up a little bit is, you know, ask for and make sure that you do in fact get, um, any and all versions of the, the target entities security risk analysis, because, um, those are incredibly helpful documents to review to really understand the, you know, the maturity of the organization from a security perspective, but also really what the issues are with regard to where the data is, the threats to it, and the controls that are currently in place to, to protect the data. So I, I would, you know, make a point to ask more than once, um, not only for all of the risk, uh, analysis documentation, but over a period of time. So you don't necessarily just want the last years, you want, you know, if it's available several years. Um, and then again, you wanna, you wanna look for a good understanding of the requirements that is, you know, a good, um, data inventory and asset inventory and, and a real reflection of consideration of real threats and vulnerabilities. Um, and then that, again, the appropriate response to those risks, um, you know, making sure that there is a plan to move forward in, in, um, resolving those, reducing those, whatever the, the, the plan is. So, um, you know, so it's less about sort of, you know, maybe you don't necessarily agree with the approach, and that's okay, but it's making sure that the approach actually exists and has existed over time, um, and that it's comprehensive and really is, is a, is a good scope, um, of analysis.
Speaker 2:Yeah, I think, uh, for us, and it, I keep going back to this, but it's, but it's really, I think, important to understand, okay, from us in particular when we're trying to narrow scope down for, for due diligence, is, okay, am I, am I looking at this from a compliance perspective? So a HIPAA compliance perspective in this case, in which case, you know, I'm gonna look for very specific things from the risk analysis so that I can say, you know, look, they're, they didn't do the risk analysis according to the HIPAA security rule and et cetera, et cetera, et cetera. Um, but I'm also, I may be also be asked to look at, to your point, the more of the maturity of their, uh, cyber risk management program, uh, or their security program, in which case I may not be quite concerned, uh, whether or not the risk analysis specifically meets their requirements of hipaa, but more concerned about, um, the quality of the, of the evaluation and, uh, what they did with it. Um, you know what, so to your point, I, I want to start to see trends over time where I can actively see, um, that the organization is managing the risk, uh, risk, which is an, you know, an important indicator to us of the maturity of the, um, cybersecurity or cyber risk management program as a, as a whole. Uh, so kind of going down that thread, ia, how about that ongoing management of risks, what do you, what do you look for there, or what are the best practices that, that an organization might have in place?
Speaker 3:Yeah, again, I mean, just all of these important issues, um, uh, you're hitting, hitting the nail on the head here, John. Um, the, you know, I think at the very least, we need to find, hopefully some kind of risk management plan, some kind of plan that the organization has taken, um, or has undertaken to, um, reduce the risk that they've identified. And, and again, that can be, you know, a series of documents. So again, many times it is asking the question in several different ways, is it penetration testing? Is it vulnerability testing? Do we wanna see controls assessments? Do we wanna see certification assessments? Um, are there specific requirements that we wanna look at like PCI compliance, um, that may have overlap? Um, you know, really asking the question in several different ways to see if you can get good documentation regarding the implementation of controls to manage those risks that have been identified and really understanding in the organization who's responsible for that. So, you know, is it the ciso, is it a team, um, you know, is it, uh, a group of individuals who have different responsibilities for different pieces of those controls? Um, or, you know, do they, are they comfortable with, uh, performing regular audits, evaluations and analyses? You know, what does that look like? And so, again, you know, asking those questions in different ways I think is, is really important because there may be, particularly depending on who you're working with on the transaction, there may be sort of a gap between who is providing the immediate answers and who really at the target has the information that you need.
Speaker 2:Yeah, it's, uh, it's, um, it's very challenging to, to, I think diligence in particular can be a very challenging endeavor for, for those of us who are engaging in the, for the, sort of the reasons we talked about, um, before there, you want to, there's limitations on your ability to, to typically limitations on your ability to, uh, get access to the target and to have some of those conversations. And, and, uh, you know, particularly if you run into organizations that don't have a lot of good documentation, it's, it's particularly challenging to make any determinations. Although, you know, in, in our experience when we see that that lack of formality, uh, the lack of documentation, uh, you know, the, the, uh, no clear governance structure in place, those are usually indicators that, that you have a very immature program and, and that there's gonna be, uh, you know, significant potential cost associated with, uh, putting a program in place that's gonna be reasonable and appropriate for the, for the, uh, new entity. So one last question for you, ia, and this is something that, that, uh, has come up in the last year for us, and I'm interested in your experience. What trends are you seen with regard to risk analysis as an actual component of the reps and warns insurance process?
Speaker 3:Yeah, uh, I mean, as a trend, I am seeing much more involvement by insurance counsel and asking these same types of questions. So, um, you know, again, I think where the buyer is asking these questions of the seller, um, the insurance council is asking these questions of the parties as well in, in many different respects. Um, and that could include asking for the documentation itself, but at the very least, um, cybersecurity issues and data sharing issues are, uh, always on the list of questions that the insurance reps are, are asking about. Um, and I think that's, you know, I think that's a change. Um, I think, and I think it reflects the fact that these are real risks for organizations just generally. Um, and even more so I think risks associated with diligence and transactions because of the, you know, the fact that a, that a breach can occur at any time, um, obviously at the entity doesn't have good controls, and even if they do in many cases. And so really trying to understand, um, what the long-term risk is for a particular organization is key, not only to the diligence, but also again, to the insurance, uh, related to the diligence.
Speaker 2:Yeah, we've, we've even seen on a couple of occasions recently, uh, where, where the insurance carrier has insisted that a risk analysis be performed and that's can be problematic, can hold up a transaction. I mean, it can introduce all sorts of issues associated with whether or not, you know, the limitations on the coverage and, and assorted other things. So it's, you know, more and more now when we talk to organizations that may be considering some sort of equity event in the future, or, you know, kind of entering a transaction, we talk to them about preparing for, for diligence, right? So how do you, uh, how do you prepare your organization in expectation of someone performing, uh, cyber, cyber risk management due diligence on you? And so we are, we are, uh, among other things, um, typically recommending that folks if they're, if they haven't already, uh, or at least not recently performed risk analysis, that it's something that we highly recommend they do. And again, you know, there's, there's very likely to, to be risks identified during that process. And, and I think sometimes folks are scared to, to, you know, it's better off not knowing kind of, kind of situation. But I, I, I really don't think that's the case anymore because of the expectation that, um, that our risk analysis is should have been done already. And, and, uh, if you don't do that, what that says about, about your organization and the maturity of your cyber risk management program. So I, I think again, you know, more and more frequently, uh, organizations, whether that's buyers or the reps and warranties, insurers or, uh, you know, other folks, council who are doing, uh, these engaging and supporting these types of transactions are looking for certain cyber risk management activities to have been performed. Uh, and if to the extent that they're not or haven't been performed, it can affect the, the transaction. And so, uh, thank you very much, Eliana. Uh, it has been a, uh, delight talking with you today about, uh, m and a due diligence and specifically around cyber risk management and, and risk analysis. I always, uh, learn so much when we, when we have these opportunities to talk. Um, any final comments before we close today?
Speaker 3:No, thanks, John. I think your questions have been great, and like I said, really hit the mark with regard to the issues that we're seeing as well, and it's always good to talk to you.
Speaker 2:Great. So, I'm, uh, John Moore, chief Risk Officer at, uh, Clearwater Compliance, and thank you all for, uh, coming and, and listening in as IA and I talk today. Thank you.