Stronger Together: IT Integration and Security Lessons from Healthcare M&As

Healthcare mergers and acquisitions have surged over the past decade as providers seek to expand into new geographic markets, diversify services, reduce operating costs or gain access to more resources. When providers pursue M&As, they must make sure their plans are airtight, which includes being able to execute on their integration goals.

On the IT front, that means standardizing on hardware and security. That’s the easy part. Integrating disparate applications and data is much harder, says Ashish Nadkarni, group vice president of IDC’s Infrastructure Systems, Platforms and Technologies Group.

“The low-hanging fruit is easy: changing laptops and people’s security, moving systems to the same network, retiring a storage array and moving to a new storage array,” he says. “The harder part is the electronic medical record and other applications. You have to decide what stays and what goes, and whether they are even compatible. Then you have to decide how to combine records without any data loss or duplication.”

Click the banner below to effectively integrate your health IT environment.

Growth Through Health IT Integration Takes Planning

Luminis Health’s newly combined IT department spent 2½ years integrating resources between AAMC and DCMC.

First, the team integrated the hospitals’ data centers and networks. DCMC had older servers that needed an upgrade, so the IT staff expanded AAMC’s Nutanix footprint and added more storage to AAMC’s IBM Power8 servers to support DCMC.

The team installed new Cisco routers and Meraki software-defined WAN equipment to create redundant network connections between the two data centers. DCMC’s LAN received an upgrade with new switches and Wi-Fi equipment, eliminating IP address conflicts.

“This allowed us to become one integrated network, which opened the door for us to standardize on one EMR, share services with key applications and standardize the endpoint experience for users,” Rodriguez says.

After integrating the IT infrastructure, the team looked at each hospital’s software case by case and chose a new standard based on features, value and whether it positioned the company for growth, says Ron Nolte, Luminis Health’s vice president of information services applications.

EXPLORE: Why planning is key to managing health IT integration during an M&A.

IT staff mostly chose AAMC’s enterprise-class applications, such as on-premises Epic EMR implementation and PeopleSoft’s ERP and HR applications in the Oracle Cloud, Nolte says. Standardization on some DCMC software included a food service application.

“AAMC had already invested in enterprise-level applications in preparation for our next growth phase. Many of DCMC’s applications were appropriate for its revenue levels but could not scale to the levels necessary for Luminis Health,” Nolte says.

The IT security team used Rapid7 security monitoring software to run vulnerability scans across DCMC’s network and data center, says Luminis Health CISO Mike Widerman. Then DCMC adopted AAMC’s enterprise security solutions, including mobile device management software.

“Our priority was to make sure we have the same security protections and the same set of eyes and ears,” Widerman says.

More recently, Luminis Health upgraded its endpoint security to a Palo Alto Networks solution and has hired a managed service provider to run a security operations center for 24/7 IT infrastructure monitoring. “They are a dedicated extension of our team and will alert us if we need to take action on something,” Widerman adds.

Cybersecurity Scrutiny Is Key in Healthcare Mergers and Acquisitions

A healthcare acquisition is not just adding one organization to another; it could also mean inheriting security flaws and vulnerabilities.

When an M&A deal closes, Lehigh Valley Health Network CIO Mike Minear brings in a third-party cybersecurity vendor to independently evaluate a new acquisition’s security posture.

Once, the Allentown, Pa.-based organization discovered that a newly purchased company had not patched its IT infrastructure for years. Another time, it found active hackers on the network of the acquired organization.

“We do a cybersecurity review, assess everything and fix concerns before we connect the acquired network to ours,” Minear says.

DISCOVER: Tips from CIOs on navigating mergers and acquisitions in healthcare.

The health network, which has 13 hospital campuses, has grown through M&As in recent years, including the purchase of the Coordinated Health system in 2019 and the physician group Delta Medix in 2021.

LVHN brings new acquisitions up to speed on security with new firewalls, data loss prevention tools and implementing Imprivata’s single sign-on technology, Minear says. The organization operates two data centers in colocation facilities and typically has enough capacity to absorb providers into its infrastructure.

Over the years, the health network has archived patient data from more than 40 EMRs as acquired organizations migrated to LVHN’s Epic implementation. Old patient data has been harmonized into a common format. If physicians need to see older records, they can click a button on Epic and access the archived data, Minear says.

“It sounds easy, but it takes years and a lot of work to get that done right,” he adds.

Click the banner below to learn IT integration best practices during a merger or acquisition.

Moving Forward Securely as One Integrated Organization

In Tacoma, Wash., MultiCare Health System includes 11 hospitals and more than 230 clinics, and it has expanded services through acquisitions and partnerships in recent years. In 2021, MultiCare purchased the 107-bed Capital Medical Center in nearby Olympia.

MultiCare CIO Bradd Busick says the organization worked with a third-party partner to obtain an inventory of CMC’s technology as part of due diligence. That early preparation work helped the IT department hit the ground running when the merger was finalized in April 2021 and enabled MultiCare to fully integrate CMC into the fold seven months later, which included the adoption of MultiCare’s Epic EMR, he adds.

IT administrators upgraded CMC’s core network with new Cisco switches and expanded Wi-Fi access by blanketing the hospital with new access points. This enabled clinicians to perform telehealth services on tablet devices and use Microsoft Teams for internal collaboration. “The hospital’s prior wireless network was nascent and not stable,” Busick says.

LEARN MORE: Here are best practices for health IT teams on handling mergers and acquisitions.

CMC also had older computing equipment, so MultiCare upgraded the hospital with Dell desktop computers, tablets and thin-client devices for EMR access.

As for security, Busick’s team brought CMC up to MultiCare’s corporate security standards, which included upgrading its firewalls and endpoint security and deploying Medigate, a tool that crawls the network and analyzes medical equipment to identify vulnerabilities.

MultiCare also protects CMC through its security operations center, run by a third party that monitors the IT infrastructure and provides incident response. “We brought them onto our security footprint,” Busick says.