Healthcare anticipates a surge in M&A activity, so the time is now for due diligence. As ambulatory care locations are often of interest in M&A scenarios, focus on infrastructure, cybersecurity, and tech stack are the greatest opportunities for informing related decisions.
Integrating ambulatory services in your existing health system often involves limited IT resources and infrastructure challenges that can be some of the most complicated in healthcare. Complexities stem from disparate systems, varying levels of IT sophistication, and change management for the human resources involved. Certain challenges are common and can be better understood through due diligence focused on infrastructure, cybersecurity, and tech stack.
Challenges to Consider
In the ambulatory space, challenges are often exacerbated by factors related to former investment and operational strategies of the acquired organization.
Consequences of inherited investment deficit:
- outdated or unsupported systems and infrastructure
- lack of mature cybersecurity posturing
Operational inefficiencies from former ownership scenarios:
- duplicate applications that must be rationalized quickly in acquisition scenarios
- inconsistent processes that must be standardized before governance is defined/adopted
- toolsets and/or configurations conducive to ambulatory (general survey, orthopedics, eye, etc.), not integrated care
Fragmented technologies, whatever their origin, are common across ambulatory systems. As a case in point, consider this statement from a CIO in Florida:
When I first arrived at Jupiter Medical Center in 2020, I came across all these fragmented systems. So we had one platform for the inpatient side, another one for the ambulatory side, a product for registration, and another one for billing. And from a patient experience standpoint, it was pretty fragmented with a capital F. So I'm going to take that at a provider level. It was complex.
| Kevin Olson, CIO, Jupiter Medical Center. Hear more from Kevin Olson »
Three Focus Areas for Due Diligence
For facilities contemplating acquisition, due diligence focused on infrastructure, cybersecurity, and tech stack will help inform related decisions, will help navigate other system-specific issues, and can assist with determining the need to involve partners.
Network Infrastructure:
- What is the current capacity and stability of the network infrastructure?
- How secure is the network, and what are the potential points of failure?
- How does the budget for network infrastructure compare to actual expenditures?
+ Server Environment
- What is the age, capacity, and support status of the servers?
- What modernization options are available, including virtualization and redundancy?
- What disaster recovery plans are in place?
+ End-User Devices
- What is the age and condition of workstations, laptops, and other devices?
- Are these devices configured to comply with HIPAA requirements?
+ Security Infrastructure
- What is the status of the firewall, intrusion detection/prevention systems, and endpoint security solutions?
- When were the security policies, procedures, and incident response plans last updated?
+ Tools for User Directory and Identity Management
- What is the structure and health of the user directory, including Active Directory accounts and group policies?
- What are the current password management practices and access/permission scenarios?
+ Telecom
- What is the capacity, redundancy, and cost-effectiveness of voice and data circuits, including internet connectivity, WAN connections, and phone systems?
Cybersecurity:
+ Vulnerability Assessments and Penetration Testing
- What actions have been prioritized to address the findings of recent vulnerability assessments and penetration testing?
+ Compliance with Security Regulations
- How is ongoing compliance with HIPAA and other security regulations ensured?
- Is there a leadership team champion and governance structure in place to emphasize the priority of cybersecurity?
+ Cybersecurity Training and Adoption
- What current training and adoption strategies are in place to drive cybersecurity-conscious behaviors among all members of the organization?
+ Incident Response Protocols
- What response protocols are practiced in the event of a cybersecurity incident or breach?
+ Governance and Leadership Focus
- How does governance and leadership focus on risk mitigations, behavior training, and other measures to ensure employees are the first line of defense?
Tech Stack:
+ Inventory of Solutions
- What tools and solutions are currently in use, and what versions are they running?
- Are there any dependencies or integrations that need to be considered?
+ Compatibility and Integration
- How compatible are the current tools and solutions with potential new systems?
- What are the scenarios for integration with existing infrastructure?
+ Resource Allocation
- How is resource attention divided between discovery, due diligence, and everyday operations?
- What optimization priorities are currently being juggled by the internal team?
+ Strategic Decision-Making
- How comprehensive and rationalized is the inventory of solutions to inform the acquisition decision?
- What key factors are considered in deciding for or against the acquisition based on the tech stack?
Partnering for Due Diligence and Change
Partners with experience in working through the challenges faced when acquiring – or even thinking about it – can help. Internal IT teams with additional capacity and access to expertise can be stronger, more effective at a larger scope, and right sized for the peaks and valleys of acquisition due diligence. Consider involving advisors for merger, acquisition, and divestiture due diligence to ensure your next acquisition has expert decision support.
