In mergers and acquisitions (M&A), buyers must perform due diligence with a rigorous cybersecurity assessment, to make sure the companies get the value they are paying for. Before pursuing a divestiture or sale, sellers also should examine cybersecurity practices to help reduce time and costs, avoid surprises and sweeten deals.
Read the full article at: www.cio.com 
The recent article on ensuring cybersecurity in mergers and acquisitions from CIO.com, given all the recent healthcare provider strategic changes, got us thinking about how to ensure PHI security during hospital and provider M&As.
Often, IT staff may have a strategic plan, but certainly not a comprehensive mapping of where all patient data is stored and sent, and of course any vulnerabilities along the way. Over time, data highways of a given health practice get more and more complex.
This downstream lab here needed a quick ADT, the downstream hospital still needs faxed results or via an online portal, and pretty soon you have a complex process to map.
Typically, data mapping is part of the due diligence for the hospital or clinic to provide to a potential buyer. Worst case scenario, the problem is dropped on the potential buyer, who now has an unknown mess of data highways and potential PHI vulnerabilities.
Have you ever bought sour milk? How about a mine field?
A few years ago I traveled to Israel. Once we got closer to the Syrian border, there was so much open land, which didn’t add up in a small county like Israel. When I asked the tour guide why there was all this flat land in seemingly perfect condition, his response was surprising “Mines,” he said, “from the last war. They’re several decades old but still active and very dangerous, and they are so far buried underground that it makes modern technology nearly useless in discovering them.”
PHI vulnerabilities are like buying a mine field: Hard to uncover and generally hidden, but not something you want to find.
Before purchasing a hospital, clinic, or other healthcare entity that serves patients, it is good practice to have the organization map their entire data flow to each external and internal system and for the potential buyer to verify the results. An internal IT team should be able to provide this information. The potential risk of stolen patient information and released billing info is too high.
Protecting your own land:
It is important to have comprehensive data mapping that reflects the reality of PHI data flow. Corepoint Integration Engine comes natively with complex data flow mapping, where one can see every entity a healthcare provider is sharing data with, exactly what information is being shared, and view message logs of all the data that has been shared in the past. High level and low level views of all external and internal systems can be easily viewed and drilled down on, with all the relationships and networks that come along with a strategic data network.
Because all patient data is shared in Corepoint Integration Engine, the data flow responds in real time and therefore enables customers to constantly maintain an updated data flow without any custom work.