By Phil Englert
Health care provider mergers and acquisitions have been a common trend in the health care industry for several years. In 2020 Atrium Health, based in Charlotte, North Carolina, and Wake Forest Baptist Health, based in Winston-Salem, North Carolina, announced plans to merge, forming one of the largest health care systems in the region. Also in 2020, Providence St. Joseph Health, a large health system based in Renton, Washington, merged with Adventist Health System, based in Altamonte Springs, Florida. This merger created one of the largest faith-based health care systems in the United States. In the prior year, though not a merger in the traditional sense, but rather the result of a mega-merger between Catholic Health Initiatives and Dignity Health in 2019. CommonSpirit Health became one of the largest nonprofit health systems in the U.S., operating in 21 states. CommonSpirit then expanded into Utah by acquiring 5 additional hospitals in 2023.
Bringing two organizations together in merger and acquisition (M&A) activity can be a complex process fraught with challenges including cultural differences, leadership alignment, employee morale, stakeholder communications, and patient experience and perception. Managing change effectively can reduce resistance and accelerate success. A recent Bain and Company report states that pre-merger due diligence fails to provide an adequate roadmap for capturing synergies and creating value 42% of the time. As technology managers, the strategic decisions to entertain and pursue M&A opportunities are almost always made well above our pay grade. That doesn’t mean there isn’t an opportunity to influence and thus make our roles easier during the integration phases. Before we explore how technology leaders might influence deals and the resultant operations, let’s explore some of the challenges technology leaders face in supporting M&A activity.
Mergers typically involve two competitors joining forces while acquisitions are pursued when buying is perceived as easier than creating or building from scratch. Early discussions at the senior executive level are strategic and conceptual. From a business perspective due diligence is about legal structures and ownership authorities to enter into the transaction. The choice to pursue might be predetermined even before the technical due diligence begins. At some point, you will be brought into the process. Leadership often desires 100% confidence in the technology or security of the infrastructure while strategic decisions are made on the best available information at the time. How can technology managers engage regardless of what point the deal has progressed to?
Human nature, it seems, welcomes change … until it impacts you. Mingling two organizations is not easy. Ideally, the due diligence process includes a complete review of the technology infrastructure and the governance and maintenance operations processes that have kept it operational. Often, this is a paper chase of surveys, interviews and audits that may not paint a complete picture. Sure, they may have a Security Information and Event Management (SIEM) system, but does it cover the entire tech stack? Is the response adequate, or are unaddressed risks stacking up? Have they held things together with band-aids and baling wire rather than investing in upgrades, updates and replacements? Do staff feel defeated rather than empowered?
Each merger and acquisition is unique. It is helpful to break the process into three phases: Pre-Acquisition, Post Acquisition, and Integration so that you have a framework to work through no matter what your point of engagement is.
Ideally, the Pre-Acquisition phase when the bulk of the information gathering takes place often involves questionnaires to reveal the state of technology and infrastructure. We’ll focus on cybersecurity for a consistent thread to tease out. Questions often involve the size of the budget and the IT security spend as a percentage of the IT spend. Questions about a vulnerability management policy and program as well as patching. What is the history of cybersecurity incidents? What portions of the cybersecurity program are managed by third parties? What are the recent investments in tools and technologies? Is there a cybersecurity insurance policy and have there been any claims? Get an outside-in look at the organization’s security posture using a tool like Security Scorecard. The goal is to understand the gaps and estimate the costs to achieve the desired cybersecurity maturity level.
Phase two, or Post-Acquisition begins on day 0 of operate. This is when, for better or for worse, you’ve taken on the responsibility for the newly acquired assets and the risks they introduce to your organization. Organizations should expect to experience increased levels of attacks post-acquisition. Threat actors may target the connections between the two organizations knowing that staff priorities may have been shifted away from primary security functions or the disparate technology staff dilute effectiveness and efficiencies depending on attack vectors and techniques employed. Phase 1 may not be complete when Phase 2 begins. Continuing to collect information and refine details will enable you to build better integration plans.
The integration phase is dependent on the quality of information gathered during the pre-acquisition phase and the experience gained during phase two. Re-evaluate the organization’s cybersecurity posture now that it is combined. Each project will be unique to the purpose, objectives, technologiesw and culture. Use the information gathered in Phase 1 to identify gaps and begin correcting known issues.
No matter when you get brought into the process you can use the three-phase framework to identify and prioritize what needs to be done to build resilience into the technology stack of the new organization. Gather information and formulate a plan. Prepare for increased threat activity and develop a response plan as the new company sandbox takes shape. Accept that each merger and acquisition will be unique and bring a flexible mindset while gathering the information to develop an effective plan to establish resilience within the new organization.