cyber incident preparedness checklist
Subscribe to cyber incident preparedness checklist's Posts

360 Diligence for Digital Health Investments: What to Watch in Today’s Market Trends

Contributors: Dudley Baker, Managing Director, Holihan Lokey | Luiz Greca, Managing Director, Holihan Lokey | Chris Schickling, Managing Director, Gallagher

The digital health industry is complex and highly regulated, presenting unique challenges for investment in this space – especially for investors new to the healthcare industry. Healthcare companies have business lines and regulators that do not exist in other sectors of the economy, making it crucial to work with advisors that understand the value proposition of a healthcare business, where value resides amongst potential targets, and how valuations may vary. These complexities, coupled with current market trends, amplify the need for comprehensive diligence strategies to stratify risk and maximize value from advisors that understand the nuances of the healthcare sector.

In this article, we discuss the top three trends we’re seeing in digital health investment and how Gallagher, Houlihan Lokey, and McDermott Will & Emery can position your organization for success from pre-acquisition diligence to post-close operations.

Heightened Scrutiny on Healthcare Transactions and Physician Practice Management Structures

Healthcare transactions and physician practice management structures (sometimes referred to as the “friendly PC model”) are facing heightened scrutiny at both the state and federal levels. Regulators are imposing new requirements on parties and applying stricter transaction review standards, creating hurdles for healthcare investors and companies that may impact their ability to execute transactions and management relationships, and upend standard transaction timelines. For example, state laws like the recently passed and subsequently vetoed California’s AB 3129 seek to implement transaction notification and approval requirements that could present new obstacles to closing transactions and may extend pre-closing timelines. This bill would have also changed in the ways in which management companies and physician groups arrange for support services. Although Governor Newsom vetoed AB 3129, there is a newfound wave of support at both the state and federal levels to further regulate private investment in, and control of, healthcare organizations that continues to gain momentum. Oregon and Massachusetts are examples of other states that have considered similar legislation.

McDermott’s specialized focus on healthcare dealmaking and our scrutiny of the federal and state regulatory landscape helps investors and health companies stay ahead of legal developments, understand implications of proposed regulations, ensure compliance with federal and state agencies, and chart a course to move transactions through the review process efficiently.

Strengthening Cybersecurity

The healthcare sector is particularly vulnerable to cybersecurity issues and continues to be highly targeted for cybercrime. The health sector has historically under-invested in cybersecurity personnel and technology and is increasingly being targeted by sophisticated ransomware and other malicious threat actors.

In recent years, attacks on healthcare providers, insurers, and health technology vendors have resulted in catastrophic cyberattacks that have compromised patient data, resulted in a wave of class action litigation, and resulted in regulatory scrutiny and new regulations of the healthcare industry. These incidents are also incredibly expensive to contain, investigate, and remediate. In fact, according to the 2024 IBM-Ponemon Cost [...]

Continue Reading




read more

DOJ Guidance for Victims of Cybercrime: The Dos and Do Nots of Cyber Preparedness

On April 29, 2015, the Cybersecurity Unit in the Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice released a best practices document (Document) for victims of cyber incidents. The Document provides useful and practical tips that will assist organizations, regardless of size and available resources, in creating a cyber-incident response plan and responding quickly and effectively to cyber incidents. It iterates many of the important lessons that federal prosecutors and private sector companies have learned in handling cyber incidents, investigations, prosecutions and recoveries.

Assistant Attorney General Leslie Caldwell delivered a speech at the Criminal Division’s Cybersecurity Industry Roundtable on April 29, 2015, wherein she described the Document as “living,” and one that CCIPS will “continue to update as the challenges and solutions change over time.” Caldwell added that this Document is an example of the assistance CCIPS plans to continue to provide in order to elevate cybersecurity efforts and build better channels of communication with law enforcement.

Best Practices for Cybersecurity Preparedness

CCIPS recommends eight steps as part of an organization’s pre-planning activities to help limit computer damage, minimize work disruption, and maximize the ability of law enforcement to locate and apprehend perpetrators:

  1. Identify your “Crown Jewels”—an organization’s most valued assets that warrant the most protection.
  2. Have an actionable plan in place before an intrusion occurs—stressing the word “actionable,” CCIPS suggests organizations decide on specific, concrete procedures to follow in the event of a cyber incident.
  3. Have appropriate technology and services in place—equipment, such as data back-up, intrusion detection capabilities, data-loss-prevention technologies, and devices for traffic filtering or scrubbing, should be installed, tested, and ready to deploy before a cyber incident occurs.
  4. Have appropriate authorization in place to permit network monitoring—obtain employee consent to monitor and disclose, as necessary, their communications to facilitate early detection and response to a cyber incident.
  5. Ensure your legal counsel is familiar with technology and cyber incident management—legal counsel who are conversant and accustomed to addressing issues associated with cyber attacks will speed up an organization’s decision-making process and reduce the organization’s response time.
  6. Ensure organization policies align with the cyber incident response plan—preventative and preparatory measures should be implemented in all relevant organizational policies, such as human resources policies.
  7. Engage with law enforcement before an incident—meeting and engaging with local federal law enforcement offices will facilitate interaction and establish a trusted relationship.
  8. Establish a relationship with cyber information sharing organizations—information sharing organizations exist in every sector of critical infrastructure and may provide cybersecurity-related services.

The Cyber Incident Preparedness Checklist (included in the Document) succinctly outlines these eight steps, and is of practical use to an organization that is creating or improving its already-existing incident response plan. For an incident response plan, the Document provides explicit examples of the types of information an organization should evaluate when assessing the nature and scope of an incident. It also includes the information an organization should document in its initial assessment and the [...]

Continue Reading




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law