An analysis found that cyberattacks, which can potentially disrupt patient care, are twice as likely to occur during and after hospital mergers and acquisitions.
Cybersecurity in healthcare has become a top priority, especially since healthcare facilities have observed a marked increase in data breaches — impacting nearly 43 million Americans in 2023 alone.
Now, the results of a new peer-reviewed study conducted by Nan Clement, a University of Texas at Dallas (UTD) doctoral student, uncovered when these data breaches are more likely to happen.
Clement presented her paper at the 22nd Workshop on the Economics of Information Security in Geneva, Switzerland, where it received the Best Paper Award.
According to the research, during the two years surrounding a hospital merger or acquisition, the risk of a cybersecurity breach more than doubles. Specifically, the likelihood of a breach during that period is 6%. In contrast, among the same hospitals, the data breach probability is 3% during mergers outside that timeframe.
One possible reason for the increased vulnerability to cyberattacks during this two-year window includes incompatibility between the merging hospitals' information systems.
"When you merge two information systems, that's a time hackers can take advantage. Although most hospitals use electronic medical record (EMR) systems, they might come from different vendors and have different features," Clement explained in a UTD press release.
In addition, Clement found that insider misconduct and hacking activities increased when hospital officials announced a merger or acquisition. However, she suggests that hackers are more of a threat than people committing misconduct within the organization.
Clement also observed that Google searches about the merging hospitals rose after public announcements, which was linked to more hacking activity.
In addition, the study points out that these vulnerabilities and subsequent data breaches may have dire consequences for people under the hospital's care.
"Hospitals are critical infrastructure that touches every American. What if there's a critical surgery needed, but suddenly there's a ransomware attack, and everything is down, and the next-nearest hospital is 100 miles away?"- Clement
In the paper, Clement noted that the balancing effect of organizational assets improves internal risk control measures and may help reduce data breaches. For example, "mergers involving publicly traded hospitals can experience a decrease in data breaches during mergers."
In addition, hospital officials should be aware of the vulnerabilities to breaches during the time leading up to an acquisition or merger and after the deal is signed.
Clement suggests, "Mergers are a time that we should focus on and work toward security solutions."
However, despite best practices to protect hospital data, Clement believes that healthcare organizations likely won't be able to protect themselves 100% from cyberattacks, data breaches, or other hacking activities.
- The University of Texas at Dallas. Researcher Explores Effect of Hospital Mergers on Data Breaches.
- Nan Clement. M&A Effect on Data Breaches in Hospitals: 2010-2022.