Private equity-backed healthcare companies are underperforming when it comes to preventing and responding to cyberattacks, according to a new report from Clearwater Security.
“Firms that proactively address cybersecurity can reduce liability, strengthen resilience, and not only protect but also accelerate revenue growth and create long-term value,” Clearwater CEO Steve Cagle said in a statement.
Nashville, TN-based company said it found “systemic gaps” in security preparedness among private equity-backed healthcare companies.
“Private equity firms need to consider the cybersecurity risk profiles of companies when deciding whether to acquire them or merge them with other businesses,” according to the report.
Cybersecurity weaknesses can threaten an entire portfolio, Clearwater found.
Using HHS’ 405(d) Health Industry Cybersecurity Practices framework, the security company examined the top cybersecurity practices necessary to mitigate threats, such as:
- an email protection system,
- data protection and loss prevention,
- cybersecurity oversight and governance,
- vulnerability assessment,
- network management and
- endpoint protection systems.
The findings showed that many PE-backed healthcare companies lack a formalized incident response plan or rely on outdated procedures and that they do not conduct regular tabletop exercises, “leaving them unprepared for ransomware and system outages,” according to the report. In addition, the companies often lack organized recovery processes, which affect downtime and financial losses.
In addition, Clearwater noted weak data classification, inconsistent encryption and limited insider threat monitoring among the firms.
“Cybersecurity and resilience capabilities are creating winners and losers. Firms who are [making] cybersecurity a standard part of due diligence, perform ongoing risk analysis and align cybersecurity goals to their investment strategy are winning, as they are more competitive in the market while also avoiding costly breaches, regulatory penalties and post-acquisition surprises,” Cagle said. “We see winning private equity firms taking a proactive approach to ensuring their portcos [portfolio companies] have effective cyber risk management programs in place.”