Here, AXIS Imaging News talks to Matt Murren, CEO/CISO, CISSP-ISSMP of cybersecurity firm TrueNorth, about what private equity is looking for when valuing a practice. Most, he says, are looking very closely at back office and cybersecurity infrastructure, so imaging practice leaders need to come up to speed.
AXIS Imaging News: Private equity has moved into radiology in a big way, and investors are increasingly looking well beyond group practice revenues, market share, and other key considerations. They are now scrutinizing infrastructure and back office, with much more attention being paid to cybersecurity. How sophisticated an understanding of this do both investors and imaging practices have?
Matt Murren: Private equity investors know that infrastructure, back office, and cybersecurity are as much a part of consolidation as operations, finance, and other layers. They understand the value of cybersecurity, but not necessarily the specific areas that technology can be leveraged to continue to improve the bottom line. Investors are not going to be as up to speed as groups like ours that live and breathe healthcare IT, and we don’t expect them to be.
There is a spectrum of those that understand which technologies are available. We do see that some private equity groups have chief technology officers with a sophisticated understanding of systems and system consolidation, but many still look to groups like ours to see what others are doing. Group practices have these functions audited early as they enter dialog with private equity groups, so awareness is increasing sharply from that. Plus, word gets out.
AXIS: Can you give a sense of what getting up to par or being in good shape looks like in terms of medical device cybersecurity?
Murren: In the IT universe, there are so many layers of cybersecurity to put time and money into. What you want is to be “in the pack” or slightly ahead. Usually, that includes having a documented security program, meaning you have policies and procedures, and a documented security training and awareness program that is signed off annually by your employees.
Typically, you’ll want to have a managed, endpoint detection, and response software platform with 24/7 monitoring to catch events and block security risks. Having multifactor authentication in place for email and other critical systems is important. Outside of that, it’s essential to have firewalls, strong passwords, and logging and monitoring, which all are IT best practices. When we see organizations that have successfully put those in place, they’ve then addressed 95% of security risks. Those are the minimum necessary systems in place today.
AXIS: We know that both investors and practices look to you to assess their cybersecurity status. What amount of time, effort, and cost is typically involved to get them to the gold standard?
Murren: Firstly, it depends on the size of the group, number of employees, number of devices, and the size of the IT program. Typically, we are contacted by either the chief operations officers—or, if the group has IT, we will work alongside their IT department. We perform an IT maturity assessment. The smallest groups with less than 100 employees would be around $20,000 to $25,000 for an assessment, and larger groups would be in the $100,000 to $150,000 range. We will typically complete those assessments in around two to three months. A comprehensive report is generated, and we walk the stakeholders through the gaps.
AXIS: How do investors look to harmonize IT systems and security when bringing together several practices?
Murren: As private equity consolidates, investors want scalability. We are seeing a desire to standardize core infrastructure and IT application layers. As private equity groups acquire more groups, they sometimes use the same software that have overhead maintenance expenses like data centers and software agreements. So collapsing that infrastructure and getting cost back to the bottom line is the first priority.
Along with that is a risk component. Whenever a group is acquired, there is immediate concern around what security controls they have in place. We have assisted groups in creating that standardized network, standardized storage of data with similar access controls, usually six to eight months post-acquisition, if not sooner. The end goal is to give stakeholders and investors an idea of what each location costs in terms of standardization, so that they can weigh that cost and benefit. Usually, it is a no-brainer because you have labor, software and hardware, and other expenses that can be consolidated at the parent corporation-level.
AXIS: What are the benefits of hiring IT experts that specialize in healthcare?
Murren: The difference between a standard IT provider and a provider that lives and breathes healthcare technology is the repetition and experience in this specific area. There are also always new technologies coming out that benefit investors, and you are aware of them if you are part of the healthcare ecosystem.
It goes beyond security; it goes into the business layer to maximize the bottom line, especially toward consolidation. Moreover, healthcare has unique security risks, such as protecting patient data and laws around that, as well as keeping life-saving and sustaining devices protected from harmful malware.
AXIS: Do all healthcare-specializing cybersecurity firms go into the business layer in this way?
Murren: There are two different types of IT service providers. One type is focused on infrastructure and security, which is very important. It’s the meat and potatoes. Then there are IT providers who focus not only on infrastructure and security, but also the business layer. If your IT base infrastructure isn’t working, you should start there—because with constant interruptions, you can’t get to that layer of maturity needed to go further into maximizing the bottom line. It’s a unique mix to traverse both infrastructure and security, as well as business and finance considerations.