Does PE Ownership Bear Some Blame for the Healthcare Cyberattack Crisis?
Isabel O'BrienThe number of cyberattacks on healthcare systems has risen dramatically in recent years, with the ID Theft Center’s 2023 Data Breach Report showing that healthcare was the top industry for cyberattacks in 2023, having seen its number of breaches more than double year-over-year from 2022.
At the same time, private equity involvement in healthcare has also risen. According to the Lown Institute, a healthcare-focused think tank, private equity buyouts of physician practices were six times higher in 2021 than in 2012. Additionally, about 30% of for-profit hospitals are currently owned by private equity.
Could these two trends be linked?
“The biggest theoretical issue [in PE-backed healthcare] is really around network and cybersecurity,” said Duff Bourassa, a managing director for consultancy E78’s healthcare division. “A lot of these smaller clinics use on-premise servers. So when private equity gets involved, they want to get them to the cloud as quickly as possible so they can have easier access to the [clinic’s] data.”
Todd Zigrang, president of Health Capital Consultants, a St. Louis-based advisory firm that works with a number of private equity firms during healthcare acquisitions, has also noticed this trend: “[Smaller companies] would have the billing in-house. There’s typically a server on-site,” he explained. “The ability of [private equity] to bring them into their IT systems to transfer their data so they can participate in value-based [operations assessments]… is important.”
And the cloud may be the key – in 2022, for example, 61% of healthcare respondents encountered a cloud infrastructure breach, according to KMS Healthcare.
What is the cloud?
The cloud is an umbrella term for the servers hosted by a variety of different companies that allow users to access their data and files without physically saving them to their hard drives.
As Bourassa mentioned, the cloud provides private equity firms with much-needed data to make informed business decisions in real-time, across assets. The same could not be done with numerous internal IT servers — scraping data from them regularly would be labor-intensive and slow.
“It's operational,” explained Bourassa. “I want to know: how many patients came in today… how many different procedures did I do? If I'm behind, then I need to allocate resources to either increase scheduling or maybe I need to change marketing.”
“All of those numbers and metrics are key indicators for private equity and they want to know as quickly as they can,” he continued.
Whether or not the cloud is more secure for firms to move to is highly debated. Bourassa also explained that cloud-based servers offer more insight into who is accessing data, where they’re accessing it from, and when they’re accessing it. While one small internal server can be subject to phishing and ransomware, he added, they are overall more difficult to hack.
“There's a benefit to having a local server because you're less likely to be broken into; it's much harder to get information out of,” explained Bourassa. “They're local; they're usually more protected because they're inside an office.”
And furthermore, there’s less incentive to hack a small, singular server, as the “reward” for doing so is much smaller than the “reward” that would be reaped from hacking multiple healthcare sites all on one server.
While Bourassa did not go as far as to link the growing number of cyberattacks to private equity ownership or the cloud, he did maintain that the security of cloud systems has become a major issue for investors.
However, the rise in cloud-related cyberattack incidents and the integrality of the cloud to PE's healthcare operations is hard to ignore, especially when PE ownership of healthcare is increasing.
A larger trend
Migration to the cloud is not exclusive to private equity. Large corporate healthcare conglomerations and mergers are on the rise and also have a need for quick analytics — and they, too, move their clinics to the cloud.
However, the cloud-based IT needed for large-scale healthcare operations is crucial to most private equity firms when it comes to value creation in healthcare. Add-on deals make up a majority of private equity-related healthcare deals, according to PitchBook.
In fact, if it weren’t for private equity or corporate ownership, it is unlikely that these firms would make the decision themselves to move to the cloud.
“Most of the local firms [aren’t on the cloud], just because it's a heavy cost and they don't have the resources,” explained Bourassa. “They've got a firm that handles their IT and they maybe have five or six laptops, and that's it. They just don't have the infrastructure. When private equity gets involved, they have the money; they have the infrastructure.”
The security issues associated with the cloud, alongside cost issues, have led to a growing IT repatriation movement across sectors. A 2024 survey from Citrix, a cloud computing company, found that 94% of respondents had been involved in cloud repatriation in the past three years.
This is a strategy that may not be realistic for many private equity operators. What PE firms can do, however, is keep a dedicated chief information security officer on staff – especially in lower- and middle-markets. As we outlined in our February 2024 Cybersecurity Playbook in Private Equity Report, such an individual can put in place operational excellence tools like portfolio-wide diagnostics, proper insurance, dedicated cybersecurity staff, and training modules to non-IT staff to keep data safe.