The Change Healthcare Ransomware Attack, One Year Later
The attack, which disrupted healthcare operations across the nation, underlined cybersecurity as a critical component of readying a healthcare entity for a potential sale or refinancing. A recent American Hospital Association (“AHA”) report highlighted the urgent need for strengthening of cyber preparedness of both individual healthcare organizations and as a field and the HIPAA journal reported that 2024 was a record-breaking year in terms of breached healthcare records.
In the dynamic and heavily-regulated healthcare industry, preparing for the sale of a company requires meticulous planning and execution. According to IBM, the cost of data breaches in healthcare increased by over 50% in the three years to 2023, averaging just under $11 million per incident in 2023. Albeit decreasing to $9.8 million in 2024, healthcare data breaches remain the most costly across industries.
Therefore, cybersecurity is not just an IT issue but a business imperative that can significantly impact the valuation of a healthcare company. A crucial aspect of this preparation is ensuring robust cyber and IT infrastructure readiness. This has become increasingly critical given the rise in cyberattacks, such as the Change Healthcare ransomware incident, and IT operational failures, like the CrowdStrike update issue. This article explores the importance of sell-side readiness, focusing on cybersecurity and IT infrastructure, and provides real-life examples and insights into the challenges faced by healthcare companies during M&A processes.
Cybersecurity: A Top Priority for Sell-Side Readiness
When preparing for a sale, companies must demonstrate to potential buyers that they have taken comprehensive steps to secure their IT infrastructure and environment overall. This includes regular risk assessments, proper asset management, implementing strong cybersecurity measures around their people, processes and technologies, having a clear incident detection and response programs, as well as scalable Business Continuity & Disaster Recovery plans.
Learning from Change Healthcare and Crowdstrike
The Change Healthcare ransomware attack, attributed to the hacker group known as BlackCat, resulted in a significant loss of integrity in the firmware of computer systems, leading to a ransom payment and total costs estimated at up to $1.6 billion for UnitedHealth subsidiary. The impact has been massive on various healthcare providers such as hospitals, and private clinics, as well as insurance brokers and providers. Similarly, the Crowdstrike update failure, that occurred on July 19, 2024, impacting organizations of all kinds worldwide, underscores the importance of change management and tracking changes to networks, systems, and workstations, especially those containing electronic protected health information (ePHI).
Investors don’t want to buy a breach
The cybersecurity posture of an organization can make or break a healthcare business sale. There is general concern that assets going to market in the current macro environment are often not the highest quality, as many sponsors are delaying sales until the macro environment improves. Solid evidence of investment to address a hot topic, like cyber security preparedness, has a halo effect that could help convey to buyers that the company has been well maintained to a high quality during a hold period. There have been instances where potential deals have fallen through, or value has been impacted due to inadequate cybersecurity measures. These failed sales underscore the importance of due diligence and the need for healthcare companies to present a well-prepared IT landscape to prospective buyers.
Preparing for the Sale: A Comprehensive Approach
In the era of digital health records and interconnected medical devices, cybersecurity is no longer a mere compliance requirement but a strategic business imperative. Healthcare companies must adopt a proactive stance, ensuring that their cybersecurity measures are comprehensive and up-to-date.
Healthcare companies must ensure that their environment is prepared for the scrutiny of due diligence. This includes:
Conducting Cybersecurity Assessments: Regularly evaluating the current state of cybersecurity controls across people, processes, and technologies to identify risks, gaps and areas for improvement, and benchmark against industry peers. This enables sellers to address these issues proactively before they can negatively impact the transaction or valuation.
Governance, Risk & Compliance Management: Establishing a framework and policies that are rationalized against applicable industry standards, regulatory requirements and contractual obligations is key to managing the processes, risks and controls to ensure proper governance, informed risk management and ongoing compliance.
Vulnerability Assessments & Penetration Testing: Perform regular assessments and testing of systems to identify outdated or vulnerable components and gaps that malicious actors may leverage tom attack the environment.
Data Backup and Recovery: Implement robust data backup solutions and test recovery processes frequently to ensure data integrity and availability during a cyber incident.
Technical Security Management: Implementing scalable security technologies to protect against emerging threats and vulnerabilities landscape.
Awareness & Training: Launching a training and awareness program for all employees and users to educate them on their role in protecting the organization’s information and assets appropriately. At the end of the day, you are as strong as your weakest link.
Security Operations Management: Developing security operations capabilities for detecting and responding to events and incidents swiftly.
CFGI offers a comprehensive suite of services to assist companies with Cybersecurity maturity and IT security preparedness when planning the sale of a company. Leveraging deep expertise in various industries, CFGI’s Transaction Advisory Services team helps corporate and financial buyers critically assess key opportunities, confirm deal assumptions, and analyze and validate all the financial, commercial, operational, and strategic assumptions being made. This ensures that there are no process pitfalls during the transaction.
The services provided by CFGI in this area include:
Advisory Services: CFGI’s advisory services include cybersecurity strategy and roadmap development, virtual Chief Information Security Officer (v-CISO) services, cybersecurity awareness and training, cybersecurity due diligence for M&A, cyber resilience and cyber insurance readiness., in addition to testing services such as vulnerability management, penetration testing, and third-party security risk assessments to identify and mitigate potential risks.
Transformation Services: CFGI supports business transformation through cloud security readiness, data privacy program implementation, and security operations design. They help implement security frameworks, policies, and advanced security measures such as Zero Trust and endpoint security.
Managed Services: CFGI provides ongoing managed services to maintain and enhance cybersecurity postures. This includes continuous monitoring, security rating evaluation and regular updates to cybersecurity measures to adapt to evolving threats and regulatory requirements.
By leveraging CFGI’s expertise, healthcare companies can ensure their cyber and IT infrastructure is resilient, compliant, and attractive to potential buyers during the sale process.
- Cybersecurity Due Diligence: Evaluating the cybersecurity posture of the company, identifying potential risks, and providing recommendations to mitigate them before the sale will both help address potential buyer concerns as well as facilitate a rapid and successful underwriting process when Representation and Warranty Insurance and Senior Lender underwriting will be required to close the deal.
- IT Infrastructure Assessment: Analyzing the current state of IT infrastructure to ensure it aligns with industry best practices and will meet the expectations of potential buyers not only from a capacity and scalability perspective but also considering capability and long-term sustainability.
- Transaction Readiness and Value Optimization: Preparing the company for sale by optimizing the value of IT and cybersecurity measures, which can be a key differentiator in the transaction process.
- Carve-out, Integration, and Transition Services: Addressing the separation of IT systems and cybersecurity protocols when carving out business units or subsidiaries will both help ensure a smooth transition post-close as well as give buyers additional comfort that the carve-out, integration can be achieved in support of the investment thesis pre-close.
CFGI’s approach is to place senior transaction professionals in positions to take ownership of and drive critical workstreams, providing practical hands-on support in relation to accounting matters that are critical to the planned transaction. This includes advice on likely bidder reaction to key accounting matters presenting at the company and support in historical and projected revenue analysis, among other services.
For healthcare companies, along with technology and cyber support, CFGI’s sell-side support services include financial and tax due diligence, all of which are critical components of sell-side readiness in the healthcare space.
By partnering with CFGI, companies can ensure that they are well-prepared for the sale, with a strong focus on cybersecurity and IT infrastructure integrity, which are increasingly becoming hot topics in the industry. CFGI’s expertise and services in this area can help companies navigate the complexities of the transaction process and achieve the best possible outcome.
Conclusion
Sell-side readiness in the healthcare industry requires a thorough approach to cyber and IT infrastructure preparedness. Events like the Change Healthcare ransomware attack and the Crowdstrike update failure, along with subsequent attacks in 2024 and 2025 serve as stark reminders of the potential risks and their impact on company valuation. By addressing these challenges head-on, healthcare companies can position themselves for a successful sale, ensuring that they meet the expectations of savvy investors and buyers in today’s market.
Authors:
Mark Billings, Partner, Healthcare Due Diligence Leader
Matt Podowitz, Partner, Operations & Technology Due Diligence Leader
