Healthcare News & Insights

Three critical IT risks to avoid in mergers

ThinkstockPhotos-502867407Successful healthcare mergers depend on the successful fusion of IT systems. In this guest post, William Tanenbaum, leader of the healthcare IT practice at a law firm, focuses on three critical risks in merging IT systems: cyber security, exceeding the scope of software licenses and transition service agreements. 


Failing to properly address these risks can lead to unexpected and harmful results that affect patient care, IT and business operations. Properly used, contracts and legal analysis can provide an “early warning system” to identify and remediate risks before they undermine the merger.

Risks:  Data breaches, ransomware and wearables

Cyber security threats are three-fold:

  1. In a data breach, personal health information (PHI) is stolen, disclosed and often sold on the Internet black market. Criminals pay more for PHI than for credit card numbers. Gaining access to the first page of a patient’s medical chart is identify-theft-on-a-platter.
  2. Ransomware is a new cyber risk. Here, data isn’t stolen, but rather locked up within a hospital’s own IT system. Criminals demand a ransom to give a hospital its own data back.
  3. Wearable medical devices create a third risk, if they’re built without strong security. Sensitive data can be accessed, the devices can malfunction because of unanticipated interference from other hospital equipment, and patient care may be affected.

In a healthcare merger, the risk is that one or all of the parties have some kind of cyber security weakness that subject the merged entity to government sanctions, legal liability, IT operating problems and reputational harm.

More and more class action lawsuits are brought about in the wake of data breaches. And more will come in the future from ransomware with allegations that patient care was harmed because the hospital couldn’t access patient records, and from wearables with allegations of unauthorized data access or patient injury from device malfunction due to security flaws.

Contracts, legal analysis and technology should be used to mitigate these cyber risks.

Merger agreement assurances

When an entity is involved in a merger, the following assurances should be given in the agreement. It should state not only that it has implemented a written HIPAA-compliant cyber security policy and is compliant with it, but that its IT vendors are complaint, too. This is important because third-party IT vendors are often the gateway to data breaches.

The party should also state that it hasn’t had a data breach or a ransomware attack, or if it has, it should provide a report from an independent cyber security company verifying the deficiencies that permitted the cyber attack have been cured.

Moreover, a hospital should hack itself. IT systems implement security policies, and ethical hacking tests the efficacy of the IT systems.

The parties should also disclose any government investigations or third-party claims alleging security failures or risks, and any damages or penalties that may be imposed. With respect to wearables, a party should affirm that it has tested the devices in the hospital environment and verifies that the wearables meet required cybersecurity standards.

Have you acquired an IT license or a lawsuit?

By their nature, software licenses include limitations on use. These often include limiting the number of employees who can use the software, restricting use to specified locations and, importantly in the merger context, preventing license rights from being assigned and the software from being used by the merger partner or the combined entity.

Legal analysis of the parties’ licenses is required in light of the merger structure. And business and technology objectives are assessed to see what changes and additional rights are required so the merged entity can use the software systems contributed by each party. If combined use isn’t permitted, then a pre-merger risk will cause a post-merger IT debacle, including possible lawsuits from vendors for breach of contract or IP infringement.

Curing license rights can be difficult and expensive at any time. Having to do so immediately after the merger, as an unexpected but urgent task, makes it even more difficult and expensive.

TSA:  An IT solution, not an airport check point

Similar issues arise when hospitals use outsourcing for IT and data functions. The risk is the vendor will cease providing services either to a merger party during the transition or to the new entity before IT integration has been completed. This risk is addressed by entering into a transition services agreement (TSA) to secure these third-party IT services during this time.

The best cyber security defense is to know your cyber security risks before the criminals discover them. The best way to avoid being sued for exceeding license rights is to perfect these rights before the merger. The best way to avoid interruption in outsourcing services is to secure continuity of services using binding transition service agreements. All contribute to technical, business and medical success in healthcare mergers.


William Tanenbaum leads the health care IT practice at the law firm of Arent Fox LLP, which is internationally recognized in core practice areas where business and government intersect.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind